<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Internet Protocol Security - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-sticky-header-enabled vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"b8e5eb27-1ca6-41b8-889c-2d08d695271e","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Internet_Protocol_Security","wgTitle":"Internet Protocol Security","wgCurRevisionId":1282710229,"wgRevisionId":1282710229,"wgArticleId":43342,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Articles with short description","Short description is different from Wikidata","All articles with unsourced statements","Articles with unsourced statements from January 2019","Articles with unsourced statements from April 2020","Webarchive template wayback links","IPsec","Cryptographic protocols","Internet protocols","Network layer protocols","Tunneling protocols"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Internet_Protocol_Security","wgRelevantArticleId":43342,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgRedirectedFrom":"IPsec","wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":50000,"wgInternalRedirectTargetUrl":"/wiki/Internet_Protocol_Security","wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q210214","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics":true,"wgGETopicsMatchModeEnabled":false,"wgGELevelingUpEnabledForUser":false}; RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.makeCollapsible.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready"};RLPAGEMODULES=["mediawiki.action.view.redirect","ext.cite.ux-enhancements","mediawiki.page.media","site","mediawiki.page.ready","jquery.makeCollapsible","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar","ext.centralauth.centralautologin","mmv.bootstrap","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.quicksurveys.init","ext.growthExperiments.SuggestedEditSession"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=ext.cite.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&amp;only=styles&amp;skin=vector-2022"> <script async="" src="/w/load.php?lang=en&amp;modules=startup&amp;only=scripts&amp;raw=1&amp;skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.23"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Internet Protocol Security - Wikipedia"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Internet_Protocol_Security"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Internet_Protocol_Security"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&amp;feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="auth.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Internet_Protocol_Security rootpage-Internet_Protocol_Security skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" title="Main menu" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li><li id="n-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages"><span>Special pages</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page&#039;s font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/?wmf_source=donate&amp;wmf_medium=sidebar&amp;wmf_campaign=en.wikipedia.org&amp;uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&amp;returnto=Internet+Protocol+Security" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&amp;returnto=Internet+Protocol+Security" title="You&#039;re encouraged to log in; however, it&#039;s not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/?wmf_source=donate&amp;wmf_medium=sidebar&amp;wmf_campaign=en.wikipedia.org&amp;uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&amp;returnto=Internet+Protocol+Security" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&amp;returnto=Internet+Protocol+Security" title="You&#039;re encouraged to log in; however, it&#039;s not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"><!-- CentralNotice --></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-History" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#History"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>History</span> </div> </a> <ul id="toc-History-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Security_architecture" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Security_architecture"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Security architecture</span> </div> </a> <button aria-controls="toc-Security_architecture-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Security architecture subsection</span> </button> <ul id="toc-Security_architecture-sublist" class="vector-toc-list"> <li id="toc-Authentication_Header" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Authentication_Header"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.1</span> <span>Authentication Header</span> </div> </a> <ul id="toc-Authentication_Header-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Encapsulating_Security_Payload" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Encapsulating_Security_Payload"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.2</span> <span>Encapsulating Security Payload</span> </div> </a> <ul id="toc-Encapsulating_Security_Payload-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Security_association" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Security_association"> <div class="vector-toc-text"> <span class="vector-toc-numb">2.3</span> <span>Security association</span> </div> </a> <ul id="toc-Security_association-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Keepalives" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Keepalives"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Keepalives</span> </div> </a> <ul id="toc-Keepalives-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Modes_of_operation" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Modes_of_operation"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Modes of operation</span> </div> </a> <button aria-controls="toc-Modes_of_operation-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Modes of operation subsection</span> </button> <ul id="toc-Modes_of_operation-sublist" class="vector-toc-list"> <li id="toc-Transport_mode" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Transport_mode"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.1</span> <span>Transport mode</span> </div> </a> <ul id="toc-Transport_mode-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Tunnel_mode" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Tunnel_mode"> <div class="vector-toc-text"> <span class="vector-toc-numb">4.2</span> <span>Tunnel mode</span> </div> </a> <ul id="toc-Tunnel_mode-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Algorithms" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Algorithms"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Algorithms</span> </div> </a> <button aria-controls="toc-Algorithms-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Algorithms subsection</span> </button> <ul id="toc-Algorithms-sublist" class="vector-toc-list"> <li id="toc-Symmetric_encryption_algorithms" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Symmetric_encryption_algorithms"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.1</span> <span>Symmetric encryption algorithms</span> </div> </a> <ul id="toc-Symmetric_encryption_algorithms-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Key_exchange_algorithms" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Key_exchange_algorithms"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2</span> <span>Key exchange algorithms</span> </div> </a> <ul id="toc-Key_exchange_algorithms-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Authentication_algorithms" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Authentication_algorithms"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.3</span> <span>Authentication algorithms</span> </div> </a> <ul id="toc-Authentication_algorithms-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Implementations" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Implementations"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Implementations</span> </div> </a> <ul id="toc-Implementations-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Standards_status" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Standards_status"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>Standards status</span> </div> </a> <ul id="toc-Standards_status-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Alleged_NSA_interference" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Alleged_NSA_interference"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>Alleged NSA interference</span> </div> </a> <ul id="toc-Alleged_NSA_interference-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">10</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Further_reading" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Further_reading"> <div class="vector-toc-text"> <span class="vector-toc-numb">11</span> <span>Further reading</span> </div> </a> <button aria-controls="toc-Further_reading-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Further reading subsection</span> </button> <ul id="toc-Further_reading-sublist" class="vector-toc-list"> <li id="toc-Standards_track" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Standards_track"> <div class="vector-toc-text"> <span class="vector-toc-numb">11.1</span> <span>Standards track</span> </div> </a> <ul id="toc-Standards_track-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Experimental_RFCs" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Experimental_RFCs"> <div class="vector-toc-text"> <span class="vector-toc-numb">11.2</span> <span>Experimental RFCs</span> </div> </a> <ul id="toc-Experimental_RFCs-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Informational_RFCs" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Informational_RFCs"> <div class="vector-toc-text"> <span class="vector-toc-numb">11.3</span> <span>Informational RFCs</span> </div> </a> <ul id="toc-Informational_RFCs-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Best_current_practice_RFCs" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Best_current_practice_RFCs"> <div class="vector-toc-text"> <span class="vector-toc-numb">11.4</span> <span>Best current practice RFCs</span> </div> </a> <ul id="toc-Best_current_practice_RFCs-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Obsolete/historic_RFCs" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Obsolete/historic_RFCs"> <div class="vector-toc-text"> <span class="vector-toc-numb">11.5</span> <span>Obsolete/historic RFCs</span> </div> </a> <ul id="toc-Obsolete/historic_RFCs-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">12</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" title="Table of Contents" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Internet Protocol Security</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 39 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-39" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">39 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-af mw-list-item"><a href="https://af.wikipedia.org/wiki/IPSec" title="IPSec – Afrikaans" lang="af" hreflang="af" data-title="IPSec" data-language-autonym="Afrikaans" data-language-local-name="Afrikaans" class="interlanguage-link-target"><span>Afrikaans</span></a></li><li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D8%AD%D8%B2%D9%85%D8%A9_%D8%A3%D9%85%D9%86_%D8%A8%D8%B1%D9%88%D8%AA%D9%88%D9%83%D9%88%D9%84_%D8%A7%D9%84%D8%A5%D9%86%D8%AA%D8%B1%D9%86%D8%AA" title="حزمة أمن بروتوكول الإنترنت – Arabic" lang="ar" hreflang="ar" data-title="حزمة أمن بروتوكول الإنترنت" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target"><span>العربية</span></a></li><li class="interlanguage-link interwiki-az mw-list-item"><a href="https://az.wikipedia.org/wiki/IP_t%C9%99hl%C3%BCk%C9%99sizliyi" title="IP təhlükəsizliyi – Azerbaijani" lang="az" hreflang="az" data-title="IP təhlükəsizliyi" data-language-autonym="Azərbaycanca" data-language-local-name="Azerbaijani" class="interlanguage-link-target"><span>Azərbaycanca</span></a></li><li class="interlanguage-link interwiki-bg mw-list-item"><a href="https://bg.wikipedia.org/wiki/IPsec" title="IPsec – Bulgarian" lang="bg" hreflang="bg" data-title="IPsec" data-language-autonym="Български" data-language-local-name="Bulgarian" class="interlanguage-link-target"><span>Български</span></a></li><li class="interlanguage-link interwiki-ca mw-list-item"><a href="https://ca.wikipedia.org/wiki/IPsec" title="IPsec – Catalan" lang="ca" hreflang="ca" data-title="IPsec" data-language-autonym="Català" data-language-local-name="Catalan" class="interlanguage-link-target"><span>Català</span></a></li><li class="interlanguage-link interwiki-cs mw-list-item"><a href="https://cs.wikipedia.org/wiki/IPsec" title="IPsec – Czech" lang="cs" hreflang="cs" data-title="IPsec" data-language-autonym="Čeština" data-language-local-name="Czech" class="interlanguage-link-target"><span>Čeština</span></a></li><li class="interlanguage-link interwiki-da mw-list-item"><a href="https://da.wikipedia.org/wiki/IPsec" title="IPsec – Danish" lang="da" hreflang="da" data-title="IPsec" data-language-autonym="Dansk" data-language-local-name="Danish" class="interlanguage-link-target"><span>Dansk</span></a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/IPsec" title="IPsec – German" lang="de" hreflang="de" data-title="IPsec" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target"><span>Deutsch</span></a></li><li class="interlanguage-link interwiki-et mw-list-item"><a href="https://et.wikipedia.org/wiki/IPsec" title="IPsec – Estonian" lang="et" hreflang="et" data-title="IPsec" data-language-autonym="Eesti" data-language-local-name="Estonian" class="interlanguage-link-target"><span>Eesti</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/IPsec" title="IPsec – Spanish" lang="es" hreflang="es" data-title="IPsec" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-eu mw-list-item"><a href="https://eu.wikipedia.org/wiki/IPsec" title="IPsec – Basque" lang="eu" hreflang="eu" data-title="IPsec" data-language-autonym="Euskara" data-language-local-name="Basque" class="interlanguage-link-target"><span>Euskara</span></a></li><li class="interlanguage-link interwiki-fa mw-list-item"><a href="https://fa.wikipedia.org/wiki/%D8%A2%DB%8C%E2%80%8C%D9%BE%DB%8C%E2%80%8C%D8%B3%DA%A9" title="آی‌پی‌سک – Persian" lang="fa" hreflang="fa" data-title="آی‌پی‌سک" data-language-autonym="فارسی" data-language-local-name="Persian" class="interlanguage-link-target"><span>فارسی</span></a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/IPsec" title="IPsec – French" lang="fr" hreflang="fr" data-title="IPsec" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-gl mw-list-item"><a href="https://gl.wikipedia.org/wiki/IPsec" title="IPsec – Galician" lang="gl" hreflang="gl" data-title="IPsec" data-language-autonym="Galego" data-language-local-name="Galician" class="interlanguage-link-target"><span>Galego</span></a></li><li class="interlanguage-link interwiki-ko mw-list-item"><a href="https://ko.wikipedia.org/wiki/IPsec" title="IPsec – Korean" lang="ko" hreflang="ko" data-title="IPsec" data-language-autonym="한국어" data-language-local-name="Korean" class="interlanguage-link-target"><span>한국어</span></a></li><li class="interlanguage-link interwiki-id mw-list-item"><a href="https://id.wikipedia.org/wiki/Keamanan_Protokol_Internet" title="Keamanan Protokol Internet – Indonesian" lang="id" hreflang="id" data-title="Keamanan Protokol Internet" data-language-autonym="Bahasa Indonesia" data-language-local-name="Indonesian" class="interlanguage-link-target"><span>Bahasa Indonesia</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/IPsec" title="IPsec – Italian" lang="it" hreflang="it" data-title="IPsec" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-he mw-list-item"><a href="https://he.wikipedia.org/wiki/IPSec" title="IPSec – Hebrew" lang="he" hreflang="he" data-title="IPSec" data-language-autonym="עברית" data-language-local-name="Hebrew" class="interlanguage-link-target"><span>עברית</span></a></li><li class="interlanguage-link interwiki-lv mw-list-item"><a href="https://lv.wikipedia.org/wiki/IPsec" title="IPsec – Latvian" lang="lv" hreflang="lv" data-title="IPsec" data-language-autonym="Latviešu" data-language-local-name="Latvian" class="interlanguage-link-target"><span>Latviešu</span></a></li><li class="interlanguage-link interwiki-lmo mw-list-item"><a href="https://lmo.wikipedia.org/wiki/IPsec" title="IPsec – Lombard" lang="lmo" hreflang="lmo" data-title="IPsec" data-language-autonym="Lombard" data-language-local-name="Lombard" class="interlanguage-link-target"><span>Lombard</span></a></li><li class="interlanguage-link interwiki-hu mw-list-item"><a href="https://hu.wikipedia.org/wiki/IPsec" title="IPsec – Hungarian" lang="hu" hreflang="hu" data-title="IPsec" data-language-autonym="Magyar" data-language-local-name="Hungarian" class="interlanguage-link-target"><span>Magyar</span></a></li><li class="interlanguage-link interwiki-ml mw-list-item"><a href="https://ml.wikipedia.org/wiki/%E0%B4%90%E0%B4%AA%E0%B4%BF%E0%B4%B8%E0%B5%86%E0%B4%95%E0%B5%8D%E0%B4%95%E0%B5%8D" title="ഐപിസെക്ക് – Malayalam" lang="ml" hreflang="ml" data-title="ഐപിസെക്ക്" data-language-autonym="മലയാളം" data-language-local-name="Malayalam" class="interlanguage-link-target"><span>മലയാളം</span></a></li><li class="interlanguage-link interwiki-mn mw-list-item"><a href="https://mn.wikipedia.org/wiki/IPsec" title="IPsec – Mongolian" lang="mn" hreflang="mn" data-title="IPsec" data-language-autonym="Монгол" data-language-local-name="Mongolian" class="interlanguage-link-target"><span>Монгол</span></a></li><li class="interlanguage-link interwiki-nl mw-list-item"><a href="https://nl.wikipedia.org/wiki/IPsec" title="IPsec – Dutch" lang="nl" hreflang="nl" data-title="IPsec" data-language-autonym="Nederlands" data-language-local-name="Dutch" class="interlanguage-link-target"><span>Nederlands</span></a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/IPsec" title="IPsec – Japanese" lang="ja" hreflang="ja" data-title="IPsec" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target"><span>日本語</span></a></li><li class="interlanguage-link interwiki-no mw-list-item"><a href="https://no.wikipedia.org/wiki/IPsec" title="IPsec – Norwegian Bokmål" lang="nb" hreflang="nb" data-title="IPsec" data-language-autonym="Norsk bokmål" data-language-local-name="Norwegian Bokmål" class="interlanguage-link-target"><span>Norsk bokmål</span></a></li><li class="interlanguage-link interwiki-pl mw-list-item"><a href="https://pl.wikipedia.org/wiki/IPsec" title="IPsec – Polish" lang="pl" hreflang="pl" data-title="IPsec" data-language-autonym="Polski" data-language-local-name="Polish" class="interlanguage-link-target"><span>Polski</span></a></li><li class="interlanguage-link interwiki-pt mw-list-item"><a href="https://pt.wikipedia.org/wiki/IPsec" title="IPsec – Portuguese" lang="pt" hreflang="pt" data-title="IPsec" data-language-autonym="Português" data-language-local-name="Portuguese" class="interlanguage-link-target"><span>Português</span></a></li><li class="interlanguage-link interwiki-ro mw-list-item"><a href="https://ro.wikipedia.org/wiki/IPsec" title="IPsec – Romanian" lang="ro" hreflang="ro" data-title="IPsec" data-language-autonym="Română" data-language-local-name="Romanian" class="interlanguage-link-target"><span>Română</span></a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/IPsec" title="IPsec – Russian" lang="ru" hreflang="ru" data-title="IPsec" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-sq mw-list-item"><a href="https://sq.wikipedia.org/wiki/IPsec" title="IPsec – Albanian" lang="sq" hreflang="sq" data-title="IPsec" data-language-autonym="Shqip" data-language-local-name="Albanian" class="interlanguage-link-target"><span>Shqip</span></a></li><li class="interlanguage-link interwiki-simple mw-list-item"><a href="https://simple.wikipedia.org/wiki/IPsec" title="IPsec – Simple English" lang="en-simple" hreflang="en-simple" data-title="IPsec" data-language-autonym="Simple English" data-language-local-name="Simple English" class="interlanguage-link-target"><span>Simple English</span></a></li><li class="interlanguage-link interwiki-sr mw-list-item"><a href="https://sr.wikipedia.org/wiki/IPSec" title="IPSec – Serbian" lang="sr" hreflang="sr" data-title="IPSec" data-language-autonym="Српски / srpski" data-language-local-name="Serbian" class="interlanguage-link-target"><span>Српски / srpski</span></a></li><li class="interlanguage-link interwiki-fi mw-list-item"><a href="https://fi.wikipedia.org/wiki/IPsec" title="IPsec – Finnish" lang="fi" hreflang="fi" data-title="IPsec" data-language-autonym="Suomi" data-language-local-name="Finnish" class="interlanguage-link-target"><span>Suomi</span></a></li><li class="interlanguage-link interwiki-sv mw-list-item"><a href="https://sv.wikipedia.org/wiki/IPsec" title="IPsec – Swedish" lang="sv" hreflang="sv" data-title="IPsec" data-language-autonym="Svenska" data-language-local-name="Swedish" class="interlanguage-link-target"><span>Svenska</span></a></li><li class="interlanguage-link interwiki-ta mw-list-item"><a href="https://ta.wikipedia.org/wiki/%E0%AE%87%E0%AE%A3%E0%AF%88%E0%AE%AF_%E0%AE%B5%E0%AE%B0%E0%AF%88%E0%AE%AE%E0%AF%81%E0%AE%B1%E0%AF%88%E0%AE%AA%E0%AF%8D_%E0%AE%AA%E0%AE%BE%E0%AE%A4%E0%AF%81%E0%AE%95%E0%AE%BE%E0%AE%AA%E0%AF%8D%E0%AE%AA%E0%AF%81" title="இணைய வரைமுறைப் பாதுகாப்பு – Tamil" lang="ta" hreflang="ta" data-title="இணைய வரைமுறைப் பாதுகாப்பு" data-language-autonym="தமிழ்" data-language-local-name="Tamil" class="interlanguage-link-target"><span>தமிழ்</span></a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/IPsec" title="IPsec – Turkish" lang="tr" hreflang="tr" data-title="IPsec" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target"><span>Türkçe</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/IPsec" title="IPsec – Ukrainian" lang="uk" hreflang="uk" data-title="IPsec" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/IPsec" title="IPsec – Chinese" lang="zh" hreflang="zh" data-title="IPsec" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q210214#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Internet_Protocol_Security" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Internet_Protocol_Security" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Internet_Protocol_Security"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Internet_Protocol_Security"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Internet_Protocol_Security" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Internet_Protocol_Security" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;oldid=1282710229" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&amp;page=Internet_Protocol_Security&amp;id=1282710229&amp;wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&amp;url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FInternet_Protocol_Security"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&amp;url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FInternet_Protocol_Security"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&amp;page=Internet_Protocol_Security&amp;action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Internet_Protocol_Security&amp;printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="wb-otherproject-link wb-otherproject-commons mw-list-item"><a href="https://commons.wikimedia.org/wiki/Category:IPsec" hreflang="en"><span>Wikimedia Commons</span></a></li><li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q210214" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"><span class="mw-redirectedfrom">(Redirected from <a href="/w/index.php?title=IPsec&amp;redirect=no" class="mw-redirect" title="IPsec">IPsec</a>)</span></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Secure network protocol suite</div> <style data-mw-deduplicate="TemplateStyles:r1257001546">.mw-parser-output .infobox-subbox{padding:0;border:none;margin:-3px;width:auto;min-width:100%;font-size:100%;clear:none;float:none;background-color:transparent}.mw-parser-output .infobox-3cols-child{margin:auto}.mw-parser-output .infobox .navbar{font-size:100%}@media screen{html.skin-theme-clientpref-night .mw-parser-output .infobox-full-data:not(.notheme)>div:not(.notheme)[style]{background:#1f1f23!important;color:#f8f9fa}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .infobox-full-data:not(.notheme) div:not(.notheme){background:#1f1f23!important;color:#f8f9fa}}@media(min-width:640px){body.skin--responsive .mw-parser-output .infobox-table{display:table!important}body.skin--responsive .mw-parser-output .infobox-table>caption{display:table-caption!important}body.skin--responsive .mw-parser-output .infobox-table>tbody{display:table-row-group}body.skin--responsive .mw-parser-output .infobox-table tr{display:table-row!important}body.skin--responsive .mw-parser-output .infobox-table th,body.skin--responsive .mw-parser-output .infobox-table td{padding-left:inherit;padding-right:inherit}}</style><table class="infobox hproduct"><caption class="infobox-title fn">IPsec</caption><tbody><tr><td colspan="2" class="infobox-subheader">Internet Protocol Security</td></tr><tr><th scope="row" class="infobox-label">Year started</th><td class="infobox-data">1996</td></tr><tr><th scope="row" class="infobox-label">Organization</th><td class="infobox-data"><a href="/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force">Internet Engineering Task Force</a></td></tr><tr><th scope="row" class="infobox-label">Base standards</th><td class="infobox-data">Various, see IETF documentation chapter</td></tr></tbody></table> <style data-mw-deduplicate="TemplateStyles:r1129693374">.mw-parser-output .hlist dl,.mw-parser-output .hlist ol,.mw-parser-output .hlist ul{margin:0;padding:0}.mw-parser-output .hlist dd,.mw-parser-output .hlist dt,.mw-parser-output .hlist li{margin:0;display:inline}.mw-parser-output .hlist.inline,.mw-parser-output .hlist.inline dl,.mw-parser-output .hlist.inline ol,.mw-parser-output .hlist.inline ul,.mw-parser-output .hlist dl dl,.mw-parser-output .hlist dl ol,.mw-parser-output .hlist dl ul,.mw-parser-output .hlist ol dl,.mw-parser-output .hlist ol ol,.mw-parser-output .hlist ol ul,.mw-parser-output .hlist ul dl,.mw-parser-output .hlist ul ol,.mw-parser-output .hlist ul ul{display:inline}.mw-parser-output .hlist .mw-empty-li{display:none}.mw-parser-output .hlist dt::after{content:": "}.mw-parser-output .hlist dd::after,.mw-parser-output .hlist li::after{content:" · ";font-weight:bold}.mw-parser-output .hlist dd:last-child::after,.mw-parser-output .hlist dt:last-child::after,.mw-parser-output .hlist li:last-child::after{content:none}.mw-parser-output .hlist dd dd:first-child::before,.mw-parser-output .hlist dd dt:first-child::before,.mw-parser-output .hlist dd li:first-child::before,.mw-parser-output .hlist dt dd:first-child::before,.mw-parser-output .hlist dt dt:first-child::before,.mw-parser-output .hlist dt li:first-child::before,.mw-parser-output .hlist li dd:first-child::before,.mw-parser-output .hlist li dt:first-child::before,.mw-parser-output .hlist li li:first-child::before{content:" (";font-weight:normal}.mw-parser-output .hlist dd dd:last-child::after,.mw-parser-output .hlist dd dt:last-child::after,.mw-parser-output .hlist dd li:last-child::after,.mw-parser-output .hlist dt dd:last-child::after,.mw-parser-output .hlist dt dt:last-child::after,.mw-parser-output .hlist dt li:last-child::after,.mw-parser-output .hlist li dd:last-child::after,.mw-parser-output .hlist li dt:last-child::after,.mw-parser-output .hlist li li:last-child::after{content:")";font-weight:normal}.mw-parser-output .hlist ol{counter-reset:listitem}.mw-parser-output .hlist ol>li{counter-increment:listitem}.mw-parser-output .hlist ol>li::before{content:" "counter(listitem)"\a0 "}.mw-parser-output .hlist dd ol>li:first-child::before,.mw-parser-output .hlist dt ol>li:first-child::before,.mw-parser-output .hlist li ol>li:first-child::before{content:" ("counter(listitem)"\a0 "}</style><style data-mw-deduplicate="TemplateStyles:r1246091330">.mw-parser-output .sidebar{width:22em;float:right;clear:right;margin:0.5em 0 1em 1em;background:var(--background-color-neutral-subtle,#f8f9fa);border:1px solid var(--border-color-base,#a2a9b1);padding:0.2em;text-align:center;line-height:1.4em;font-size:88%;border-collapse:collapse;display:table}body.skin-minerva .mw-parser-output .sidebar{display:table!important;float:right!important;margin:0.5em 0 1em 1em!important}.mw-parser-output .sidebar-subgroup{width:100%;margin:0;border-spacing:0}.mw-parser-output .sidebar-left{float:left;clear:left;margin:0.5em 1em 1em 0}.mw-parser-output .sidebar-none{float:none;clear:both;margin:0.5em 1em 1em 0}.mw-parser-output .sidebar-outer-title{padding:0 0.4em 0.2em;font-size:125%;line-height:1.2em;font-weight:bold}.mw-parser-output .sidebar-top-image{padding:0.4em}.mw-parser-output .sidebar-top-caption,.mw-parser-output .sidebar-pretitle-with-top-image,.mw-parser-output .sidebar-caption{padding:0.2em 0.4em 0;line-height:1.2em}.mw-parser-output .sidebar-pretitle{padding:0.4em 0.4em 0;line-height:1.2em}.mw-parser-output .sidebar-title,.mw-parser-output .sidebar-title-with-pretitle{padding:0.2em 0.8em;font-size:145%;line-height:1.2em}.mw-parser-output .sidebar-title-with-pretitle{padding:0.1em 0.4em}.mw-parser-output .sidebar-image{padding:0.2em 0.4em 0.4em}.mw-parser-output .sidebar-heading{padding:0.1em 0.4em}.mw-parser-output .sidebar-content{padding:0 0.5em 0.4em}.mw-parser-output .sidebar-content-with-subgroup{padding:0.1em 0.4em 0.2em}.mw-parser-output .sidebar-above,.mw-parser-output .sidebar-below{padding:0.3em 0.8em;font-weight:bold}.mw-parser-output .sidebar-collapse .sidebar-above,.mw-parser-output .sidebar-collapse .sidebar-below{border-top:1px solid #aaa;border-bottom:1px solid #aaa}.mw-parser-output .sidebar-navbar{text-align:right;font-size:115%;padding:0 0.4em 0.4em}.mw-parser-output .sidebar-list-title{padding:0 0.4em;text-align:left;font-weight:bold;line-height:1.6em;font-size:105%}.mw-parser-output .sidebar-list-title-c{padding:0 0.4em;text-align:center;margin:0 3.3em}@media(max-width:640px){body.mediawiki .mw-parser-output .sidebar{width:100%!important;clear:both;float:none!important;margin-left:0!important;margin-right:0!important}}body.skin--responsive .mw-parser-output .sidebar a>img{max-width:none!important}@media screen{html.skin-theme-clientpref-night .mw-parser-output .sidebar:not(.notheme) .sidebar-list-title,html.skin-theme-clientpref-night .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle{background:transparent!important}html.skin-theme-clientpref-night .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle a{color:var(--color-progressive)!important}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .sidebar:not(.notheme) .sidebar-list-title,html.skin-theme-clientpref-os .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle{background:transparent!important}html.skin-theme-clientpref-os .mw-parser-output .sidebar:not(.notheme) .sidebar-title-with-pretitle a{color:var(--color-progressive)!important}}@media print{body.ns-0 .mw-parser-output .sidebar{display:none!important}}</style><table class="sidebar nomobile nowraplinks hlist"><tbody><tr><th class="sidebar-title"><a href="/wiki/Internet_protocol_suite" title="Internet protocol suite">Internet protocol suite</a></th></tr><tr><th class="sidebar-heading"> <a href="/wiki/Application_layer" title="Application layer">Application layer</a></th></tr><tr><td class="sidebar-content"> <ul><li><a href="/wiki/Border_Gateway_Protocol" title="Border Gateway Protocol">BGP</a></li> <li><a href="/wiki/Dynamic_Host_Configuration_Protocol" title="Dynamic Host Configuration Protocol">DHCP</a> (<a href="/wiki/DHCPv6" title="DHCPv6">v6</a>)</li> <li><a href="/wiki/Domain_Name_System" title="Domain Name System">DNS</a></li> <li><a href="/wiki/File_Transfer_Protocol" title="File Transfer Protocol">FTP</a></li> <li><a href="/wiki/HTTP" title="HTTP">HTTP</a>&#160;(<a href="/wiki/HTTP/3" title="HTTP/3">HTTP/3</a>)</li> <li><a href="/wiki/HTTPS" title="HTTPS">HTTPS</a></li> <li><a href="/wiki/Internet_Message_Access_Protocol" title="Internet Message Access Protocol">IMAP</a></li> <li><a href="/wiki/Internet_Printing_Protocol" title="Internet Printing Protocol">IPP</a></li> <li><a href="/wiki/IRC" title="IRC">IRC</a></li> <li><a href="/wiki/Lightweight_Directory_Access_Protocol" title="Lightweight Directory Access Protocol">LDAP</a></li> <li><a href="/wiki/Media_Gateway_Control_Protocol" title="Media Gateway Control Protocol">MGCP</a></li> <li><a href="/wiki/MQTT" title="MQTT">MQTT</a></li> <li><a href="/wiki/Network_News_Transfer_Protocol" title="Network News Transfer Protocol">NNTP</a></li> <li><a href="/wiki/Network_Time_Protocol" title="Network Time Protocol">NTP</a></li> <li><a href="/wiki/Open_Shortest_Path_First" title="Open Shortest Path First">OSPF</a></li> <li><a href="/wiki/Post_Office_Protocol" title="Post Office Protocol">POP</a></li> <li><a href="/wiki/Precision_Time_Protocol" title="Precision Time Protocol">PTP</a></li> <li><a href="/wiki/Open_Network_Computing_Remote_Procedure_Call" class="mw-redirect" title="Open Network Computing Remote Procedure Call">ONC/RPC</a></li> <li><a href="/wiki/Real-time_Transport_Protocol" title="Real-time Transport Protocol">RTP</a></li> <li><a href="/wiki/Real-Time_Streaming_Protocol" title="Real-Time Streaming Protocol">RTSP</a></li> <li><a href="/wiki/Routing_Information_Protocol" title="Routing Information Protocol">RIP</a></li> <li><a href="/wiki/Session_Initiation_Protocol" title="Session Initiation Protocol">SIP</a></li> <li><a href="/wiki/Simple_Mail_Transfer_Protocol" title="Simple Mail Transfer Protocol">SMTP</a></li> <li><a href="/wiki/Simple_Network_Management_Protocol" title="Simple Network Management Protocol">SNMP</a></li> <li><a href="/wiki/Secure_Shell" title="Secure Shell">SSH</a></li> <li><a href="/wiki/Telnet" title="Telnet">Telnet</a></li> <li><a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS/SSL</a></li> <li><a href="/wiki/XMPP" title="XMPP">XMPP</a></li> <li><a href="/wiki/Category:Application_layer_protocols" title="Category:Application layer protocols"><i>more...</i></a></li></ul></td> </tr><tr><th class="sidebar-heading"> <a href="/wiki/Transport_layer" title="Transport layer">Transport layer</a></th></tr><tr><td class="sidebar-content"> <ul><li><a href="/wiki/Transmission_Control_Protocol" title="Transmission Control Protocol">TCP</a></li> <li><a href="/wiki/User_Datagram_Protocol" title="User Datagram Protocol">UDP</a></li> <li><a href="/wiki/Datagram_Congestion_Control_Protocol" title="Datagram Congestion Control Protocol">DCCP</a></li> <li><a href="/wiki/Stream_Control_Transmission_Protocol" title="Stream Control Transmission Protocol">SCTP</a></li> <li><a href="/wiki/Resource_Reservation_Protocol" title="Resource Reservation Protocol">RSVP</a></li> <li><a href="/wiki/QUIC" title="QUIC">QUIC</a></li> <li><a href="/wiki/Category:Transport_layer_protocols" title="Category:Transport layer protocols"><i>more...</i></a></li></ul></td> </tr><tr><th class="sidebar-heading"> <a href="/wiki/Internet_layer" title="Internet layer">Internet layer</a></th></tr><tr><td class="sidebar-content"> <ul><li><a href="/wiki/Internet_Protocol" title="Internet Protocol">IP</a> <ul><li><a href="/wiki/IPv4" title="IPv4">v4</a></li> <li><a href="/wiki/IPv6" title="IPv6">v6</a></li></ul></li> <li><a href="/wiki/Internet_Control_Message_Protocol" title="Internet Control Message Protocol">ICMP</a> (<a href="/wiki/ICMPv6" title="ICMPv6">v6</a>)</li> <li><a href="/wiki/Neighbor_Discovery_Protocol" title="Neighbor Discovery Protocol">NDP</a></li> <li><a href="/wiki/Explicit_Congestion_Notification" title="Explicit Congestion Notification">ECN</a></li> <li><a href="/wiki/Internet_Group_Management_Protocol" title="Internet Group Management Protocol">IGMP</a></li> <li><a href="/wiki/IPsec" class="mw-redirect" title="IPsec">IPsec</a></li> <li><a href="/wiki/Category:Internet_layer_protocols" title="Category:Internet layer protocols"><i>more...</i></a></li></ul></td> </tr><tr><th class="sidebar-heading"> <a href="/wiki/Link_layer" title="Link layer">Link layer</a></th></tr><tr><td class="sidebar-content"> <ul><li><a href="/wiki/Address_Resolution_Protocol" title="Address Resolution Protocol">ARP</a></li> <li><a href="/wiki/Tunneling_protocol" title="Tunneling protocol">Tunnels</a></li> <li><a href="/wiki/Point-to-Point_Protocol" title="Point-to-Point Protocol">PPP</a></li> <li><a href="/wiki/Medium_access_control" title="Medium access control">MAC</a></li> <li><a href="/wiki/Category:Link_protocols" title="Category:Link protocols"><i>more...</i></a></li></ul></td> </tr><tr><td class="sidebar-navbar"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><style data-mw-deduplicate="TemplateStyles:r1239400231">.mw-parser-output .navbar{display:inline;font-size:88%;font-weight:normal}.mw-parser-output .navbar-collapse{float:left;text-align:left}.mw-parser-output .navbar-boxtext{word-spacing:0}.mw-parser-output .navbar ul{display:inline-block;white-space:nowrap;line-height:inherit}.mw-parser-output .navbar-brackets::before{margin-right:-0.125em;content:"[ "}.mw-parser-output .navbar-brackets::after{margin-left:-0.125em;content:" ]"}.mw-parser-output .navbar li{word-spacing:-0.125em}.mw-parser-output .navbar a>span,.mw-parser-output .navbar a>abbr{text-decoration:inherit}.mw-parser-output .navbar-mini abbr{font-variant:small-caps;border-bottom:none;text-decoration:none;cursor:inherit}.mw-parser-output .navbar-ct-full{font-size:114%;margin:0 7em}.mw-parser-output .navbar-ct-mini{font-size:114%;margin:0 4em}html.skin-theme-clientpref-night .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}@media(prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .navbar li a abbr{color:var(--color-base)!important}}@media print{.mw-parser-output .navbar{display:none!important}}</style><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Internet_protocol_suite" title="Template:Internet protocol suite"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Internet_protocol_suite" title="Template talk:Internet protocol suite"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Internet_protocol_suite" title="Special:EditPage/Template:Internet protocol suite"><abbr title="Edit this template">e</abbr></a></li></ul></div></td></tr></tbody></table><p>In <a href="/wiki/Computing" title="Computing">computing</a>, <b>Internet Protocol Security</b> (<b>IPsec</b>) is a secure network <a href="/wiki/Protocol_suite" class="mw-redirect" title="Protocol suite">protocol suite</a> that <a href="/wiki/Authentication" title="Authentication">authenticates</a> and <a href="/wiki/Encryption" title="Encryption">encrypts</a> <a href="/wiki/Packet_(information_technology)" class="mw-redirect" title="Packet (information technology)">packets</a> of data to provide secure encrypted communication between two computers over an <a href="/wiki/Internet_Protocol" title="Internet Protocol">Internet Protocol</a> network. It is used in <a href="/wiki/Virtual_private_network" title="Virtual private network">virtual private networks</a> (VPNs). </p><p>IPsec includes protocols for establishing <a href="/wiki/Mutual_authentication" title="Mutual authentication">mutual authentication</a> between agents at the beginning of a <a href="/wiki/Session_(computer_science)" title="Session (computer science)">session</a> and negotiation of <a href="/wiki/Key_(cryptography)" title="Key (cryptography)">cryptographic keys</a> to use during the session. IPsec can protect data flows between a pair of hosts (<i>host-to-host</i>), between a pair of security gateways (<i>network-to-network</i>), or between a security gateway and a host (<i>network-to-host</i>).<sup id="cite_ref-rfc2406_1-0" class="reference"><a href="#cite_note-rfc2406-1"><span class="cite-bracket">&#91;</span>1<span class="cite-bracket">&#93;</span></a></sup> IPsec uses cryptographic security services to protect communications over <a href="/wiki/Internet_Protocol" title="Internet Protocol">Internet Protocol</a> (IP) networks. It supports network-level peer authentication, <a href="/wiki/Data_origin_authentication" class="mw-redirect" title="Data origin authentication">data origin authentication</a>, <a href="/wiki/Data_integrity" title="Data integrity">data integrity</a>, data confidentiality (<a href="/wiki/Encryption" title="Encryption">encryption</a>), and protection from <a href="/wiki/Replay_attack" title="Replay attack">replay attacks</a>. </p><p>The protocol was designed by a committee instead of being designed via a competition. Some experts criticized it, stating that it is complex and with a lot of options, which has a devastating effect on a security standard.<sup id="cite_ref-2" class="reference"><a href="#cite_note-2"><span class="cite-bracket">&#91;</span>2<span class="cite-bracket">&#93;</span></a></sup> There is alleged interference of <a href="/wiki/National_Security_Agency" title="National Security Agency">NSA</a> to weaken its security features. </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="History">History</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=1" title="Edit section: History"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Starting in the early 1970s, the <a href="/wiki/DARPA" title="DARPA">Advanced Research Projects Agency</a> sponsored a series of experimental <a href="/wiki/ARPANET_encryption_devices" title="ARPANET encryption devices">ARPANET encryption devices</a>, at first for native <a href="/wiki/ARPANET" title="ARPANET">ARPANET</a> packet encryption and subsequently for <a href="/wiki/TCP/IP" class="mw-redirect" title="TCP/IP">TCP/IP</a> packet encryption; some of these were certified and fielded. From 1986 to 1991, the <a href="/wiki/NSA" class="mw-redirect" title="NSA">NSA</a> sponsored the development of security protocols for the Internet under its Secure Data Network Systems (SDNS) program.<sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">&#91;</span>3<span class="cite-bracket">&#93;</span></a></sup> This brought together various vendors including <a href="/wiki/Motorola" title="Motorola">Motorola</a> who produced a network encryption device in 1988. The work was openly published from about 1988 by <a href="/wiki/National_Institute_of_Standards_and_Technology" title="National Institute of Standards and Technology">NIST</a> and, of these, <i>Security Protocol at Layer 3</i> (SP3) would eventually morph into the ISO standard Network Layer Security Protocol (NLSP).<sup id="cite_ref-4" class="reference"><a href="#cite_note-4"><span class="cite-bracket">&#91;</span>4<span class="cite-bracket">&#93;</span></a></sup> </p><p>In 1992, the US <a href="/wiki/Naval_Research_Laboratory" class="mw-redirect" title="Naval Research Laboratory">Naval Research Laboratory</a> (NRL) was funded by DARPA CSTO to implement IPv6 and to research and implement IP encryption in 4.4 <a href="/wiki/BSD" class="mw-redirect" title="BSD">BSD</a>, supporting both SPARC and x86 CPU architectures. DARPA made its implementation freely available via MIT. Under NRL's <a href="/wiki/DARPA" title="DARPA">DARPA</a>-funded research effort, NRL developed the <a href="/wiki/IETF" class="mw-redirect" title="IETF">IETF</a> standards-track specifications (RFC 1825 through RFC 1827) for IPsec.<sup id="cite_ref-MIT_5-0" class="reference"><a href="#cite_note-MIT-5"><span class="cite-bracket">&#91;</span>5<span class="cite-bracket">&#93;</span></a></sup> NRL's IPsec implementation was described in their paper in the 1996 <a href="/wiki/USENIX_Conference" class="mw-redirect" title="USENIX Conference">USENIX Conference</a> Proceedings.<sup id="cite_ref-6" class="reference"><a href="#cite_note-6"><span class="cite-bracket">&#91;</span>6<span class="cite-bracket">&#93;</span></a></sup> NRL's open-source IPsec implementation was made available online by <a href="/wiki/MIT" class="mw-redirect" title="MIT">MIT</a> and became the basis for most initial commercial implementations.<sup id="cite_ref-MIT_5-1" class="reference"><a href="#cite_note-MIT-5"><span class="cite-bracket">&#91;</span>5<span class="cite-bracket">&#93;</span></a></sup> </p><p>The <a href="/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force">Internet Engineering Task Force</a> (IETF) formed the IP Security Working Group in 1992<sup id="cite_ref-7" class="reference"><a href="#cite_note-7"><span class="cite-bracket">&#91;</span>7<span class="cite-bracket">&#93;</span></a></sup> to standardize openly specified security extensions to IP, called <i>IPsec</i>.<sup id="cite_ref-8" class="reference"><a href="#cite_note-8"><span class="cite-bracket">&#91;</span>8<span class="cite-bracket">&#93;</span></a></sup> The NRL developed standards were published by the IETF as RFC 1825 through RFC 1827.<sup id="cite_ref-9" class="reference"><a href="#cite_note-9"><span class="cite-bracket">&#91;</span>9<span class="cite-bracket">&#93;</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Security_architecture">Security architecture</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=2" title="Edit section: Security architecture"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The initial <a href="/wiki/IPv4" title="IPv4">IPv4</a> suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a <a href="/wiki/Layer_3" class="mw-redirect" title="Layer 3">layer 3</a> <a href="/wiki/OSI_model" title="OSI model">OSI model</a> or <a href="/wiki/Internet_layer" title="Internet layer">internet layer</a> end-to-end security scheme. In contrast, while some other Internet security systems in widespread use operate above the <a href="/wiki/Network_layer" title="Network layer">network layer</a>, such as <a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">Transport Layer Security</a> (TLS) that operates above the <a href="/wiki/Transport_layer" title="Transport layer">transport layer</a> and <a href="/wiki/Secure_Shell" title="Secure Shell">Secure Shell</a> (SSH) that operates at the <a href="/wiki/Application_layer" title="Application layer">application layer</a>, IPsec can automatically secure applications at the <a href="/wiki/Internet_layer" title="Internet layer">internet layer</a>. </p><p>IPsec is an <a href="/wiki/Open_standard" title="Open standard">open standard</a> as a part of the IPv4 suite and uses the following <a href="/wiki/Protocol_(computing)" class="mw-redirect" title="Protocol (computing)">protocols</a> to perform various functions:<sup id="cite_ref-rfc6071_10-0" class="reference"><a href="#cite_note-rfc6071-10"><span class="cite-bracket">&#91;</span>10<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-rfc4308_11-0" class="reference"><a href="#cite_note-rfc4308-11"><span class="cite-bracket">&#91;</span>11<span class="cite-bracket">&#93;</span></a></sup> </p> <ul><li><a href="#Authentication_Header">Authentication Header (AH)</a> provides connectionless <a href="/wiki/Data_integrity" title="Data integrity">data integrity</a> and <a href="/wiki/Data_origin_authentication" class="mw-redirect" title="Data origin authentication">data origin authentication</a> for IP <a href="/wiki/Datagrams" class="mw-redirect" title="Datagrams">datagrams</a> and provides protection against IP header modification attacks and <a href="/wiki/Replay_attack" title="Replay attack">replay attacks</a>.<sup id="cite_ref-rfc4302_12-0" class="reference"><a href="#cite_note-rfc4302-12"><span class="cite-bracket">&#91;</span>12<span class="cite-bracket">&#93;</span></a></sup></li> <li><a href="#Encapsulating_Security_Payload">Encapsulating Security Payload (ESP)</a> provides <a href="/wiki/Confidentiality" title="Confidentiality">confidentiality</a>, connectionless data integrity, data origin <a href="/wiki/Authentication" title="Authentication">authentication</a>, an anti-replay service (a form of partial sequence integrity), and limited traffic-flow confidentiality.<sup id="cite_ref-rfc2406_1-1" class="reference"><a href="#cite_note-rfc2406-1"><span class="cite-bracket">&#91;</span>1<span class="cite-bracket">&#93;</span></a></sup></li></ul> <ul><li><a href="/wiki/Internet_Security_Association_and_Key_Management_Protocol" title="Internet Security Association and Key Management Protocol">Internet Security Association and Key Management Protocol</a> (ISAKMP) provides a framework for authentication and key exchange,<sup id="cite_ref-rfc2409_sec1_13-0" class="reference"><a href="#cite_note-rfc2409_sec1-13"><span class="cite-bracket">&#91;</span>13<span class="cite-bracket">&#93;</span></a></sup> with actual authenticated keying material provided either by manual configuration with <a href="/wiki/Pre-shared_key" title="Pre-shared key">pre-shared keys</a>, <a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">Internet Key Exchange</a> (IKE and IKEv2), <a href="/wiki/Kerberized_Internet_Negotiation_of_Keys" title="Kerberized Internet Negotiation of Keys">Kerberized Internet Negotiation of Keys</a> (KINK), or IPSECKEY <a href="/wiki/List_of_DNS_record_types" title="List of DNS record types">DNS records</a>.<sup id="cite_ref-rfc2409_14-0" class="reference"><a href="#cite_note-rfc2409-14"><span class="cite-bracket">&#91;</span>14<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-rfc4306_15-0" class="reference"><a href="#cite_note-rfc4306-15"><span class="cite-bracket">&#91;</span>15<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-rfc4430_16-0" class="reference"><a href="#cite_note-rfc4430-16"><span class="cite-bracket">&#91;</span>16<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-rfc4025_17-0" class="reference"><a href="#cite_note-rfc4025-17"><span class="cite-bracket">&#91;</span>17<span class="cite-bracket">&#93;</span></a></sup> The purpose is to generate the <a href="#Security_association">security associations (SA)</a> with the bundle of algorithms and parameters necessary for AH and/or ESP operations.</li></ul> <div class="mw-heading mw-heading3"><h3 id="Authentication_Header">Authentication Header</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=3" title="Edit section: Authentication Header"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <figure class="mw-default-size" typeof="mw:File/Thumb"><a href="/wiki/File:Ipsec-ah.svg" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/commons/thumb/a/a8/Ipsec-ah.svg/250px-Ipsec-ah.svg.png" decoding="async" width="220" height="110" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/a/a8/Ipsec-ah.svg/330px-Ipsec-ah.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/a/a8/Ipsec-ah.svg/500px-Ipsec-ah.svg.png 2x" data-file-width="1205" data-file-height="602" /></a><figcaption>Usage of IPsec Authentication Header format in Tunnel and Transport modes</figcaption></figure> <p>The Security Authentication Header (AH) was developed at the <a href="/wiki/US_Naval_Research_Laboratory" class="mw-redirect" title="US Naval Research Laboratory">US Naval Research Laboratory</a> in the early 1990s and is derived in part from previous IETF standards' work for authentication of the <a href="/wiki/Simple_Network_Management_Protocol" title="Simple Network Management Protocol">Simple Network Management Protocol</a> (SNMP) version 2. Authentication Header (AH) is a member of the IPsec protocol suite. AH ensures connectionless <a href="/wiki/Data_integrity" title="Data integrity">integrity</a> by using a <a href="/wiki/Hash_function" title="Hash function">hash function</a> and a secret shared key in the AH algorithm. AH also guarantees the data origin by <a href="/wiki/Authenticating" class="mw-redirect" title="Authenticating">authenticating</a> IP <a href="/wiki/Packet_(information_technology)" class="mw-redirect" title="Packet (information technology)">packets</a>. Optionally a sequence number can protect the IPsec packet's contents against <a href="/wiki/Replay_attack" title="Replay attack">replay attacks</a>,<sup id="cite_ref-18" class="reference"><a href="#cite_note-18"><span class="cite-bracket">&#91;</span>18<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-rfc4949_19-0" class="reference"><a href="#cite_note-rfc4949-19"><span class="cite-bracket">&#91;</span>19<span class="cite-bracket">&#93;</span></a></sup> using the <a href="/wiki/Sliding_window" class="mw-redirect" title="Sliding window">sliding window</a> technique and discarding old packets. </p> <ul><li>In <a href="/wiki/IPv4" title="IPv4">IPv4</a>, AH prevents option-insertion attacks. In <a href="/wiki/IPv6" title="IPv6">IPv6</a>, AH protects both against header insertion attacks and option insertion attacks.</li> <li>In <a href="/wiki/IPv4" title="IPv4">IPv4</a>, the AH protects the IP payload and all header fields of an <a href="/wiki/IP_datagram" class="mw-redirect" title="IP datagram">IP datagram</a> except for mutable fields (i.e. those that might be altered in transit), and also IP options such as the IP Security Option.<sup id="cite_ref-rfc1108_20-0" class="reference"><a href="#cite_note-rfc1108-20"><span class="cite-bracket">&#91;</span>20<span class="cite-bracket">&#93;</span></a></sup> Mutable (and therefore unauthenticated) IPv4 header fields are <a href="/wiki/Differentiated_services_code_point" class="mw-redirect" title="Differentiated services code point">DSCP</a>/<a href="/wiki/Type_of_service" title="Type of service">ToS</a>, <a href="/wiki/Explicit_Congestion_Notification" title="Explicit Congestion Notification">ECN</a>, Flags, <a href="/wiki/IP_fragmentation" title="IP fragmentation">Fragment</a> <a href="/wiki/Offset_(computer_science)" title="Offset (computer science)">Offset</a>, <a href="/wiki/Time_to_live" title="Time to live">TTL</a> and <a href="/wiki/IPv4_header_checksum" class="mw-redirect" title="IPv4 header checksum">Header Checksum</a>.<sup id="cite_ref-rfc4302_12-1" class="reference"><a href="#cite_note-rfc4302-12"><span class="cite-bracket">&#91;</span>12<span class="cite-bracket">&#93;</span></a></sup></li> <li>In <a href="/wiki/IPv6" title="IPv6">IPv6</a>, the AH protects most of the IPv6 base header, AH itself, non-mutable extension headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable fields: <a href="/wiki/Differentiated_services_code_point" class="mw-redirect" title="Differentiated services code point">DSCP</a>, <a href="/wiki/Explicit_Congestion_Notification" title="Explicit Congestion Notification">ECN</a>, Flow Label, and Hop Limit.<sup id="cite_ref-rfc4302_12-2" class="reference"><a href="#cite_note-rfc4302-12"><span class="cite-bracket">&#91;</span>12<span class="cite-bracket">&#93;</span></a></sup></li></ul> <p>AH operates directly on top of IP, using <a href="/wiki/List_of_IP_protocol_numbers" title="List of IP protocol numbers">IP protocol number <style data-mw-deduplicate="TemplateStyles:r886049734">'"`UNIQ--templatestyles-0000006C-QINU`"'</style><span class="monospaced">51</span></a>.<sup id="cite_ref-iana_21-0" class="reference"><a href="#cite_note-iana-21"><span class="cite-bracket">&#91;</span>21<span class="cite-bracket">&#93;</span></a></sup> </p><p>The following AH packet diagram shows how an AH packet is constructed and interpreted:<sup id="cite_ref-rfc4302_12-3" class="reference"><a href="#cite_note-rfc4302-12"><span class="cite-bracket">&#91;</span>12<span class="cite-bracket">&#93;</span></a></sup> </p> <table class="wikitable" style="text-align: center; border: none;"> <caption>Authentication Header format </caption> <tbody><tr> <th style="min-width:42px; border-bottom:none; border-right:none;"><i>Offset</i> </th> <th style="border-left:none;"><a href="/wiki/Octet_(computing)" title="Octet (computing)">Octet</a> </th> <th colspan="8">0 </th> <th colspan="8">1 </th> <th colspan="8">2 </th> <th colspan="8">3 </th></tr> <tr> <th style="min-width: 42px;border-top: none;">Octet </th> <th style="min-width: 42px;"><a href="/wiki/Bit" title="Bit">Bit</a> </th> <th style="min-width:11px;">0 </th> <th style="min-width:11px;">1 </th> <th style="min-width:11px;">2 </th> <th style="min-width:11px;">3 </th> <th style="min-width:11px;">4 </th> <th style="min-width:11px;">5 </th> <th style="min-width:11px;">6 </th> <th style="min-width:11px;">7 </th> <th style="min-width:11px;">8 </th> <th style="min-width:11px;">9 </th> <th style="min-width:16px;">10 </th> <th style="min-width:16px;">11 </th> <th style="min-width:16px;">12 </th> <th style="min-width:16px;">13 </th> <th style="min-width:16px;">14 </th> <th style="min-width:16px;">15 </th> <th style="min-width:16px;">16 </th> <th style="min-width:16px;">17 </th> <th style="min-width:16px;">18 </th> <th style="min-width:16px;">19 </th> <th style="min-width:16px;">20 </th> <th style="min-width:16px;">21 </th> <th style="min-width:16px;">22 </th> <th style="min-width:16px;">23 </th> <th style="min-width:16px;">24 </th> <th style="min-width:16px;">25 </th> <th style="min-width:16px;">26 </th> <th style="min-width:16px;">27 </th> <th style="min-width:16px;">28 </th> <th style="min-width:16px;">29 </th> <th style="min-width:16px;">30 </th> <th style="min-width:16px;">31 </th></tr> <tr> <th style="width:35px;">0 </th> <th style="width:30px;">0 </th> <td colspan="8"><i>Next Header</i> </td> <td colspan="8"><i>Payload Len</i> </td> <td colspan="16"><i>Reserved</i> </td></tr> <tr> <th style="width:35px;">4 </th> <th style="width:30px;">32 </th> <td colspan="32"><i>Security Parameters Index</i> </td></tr> <tr> <th style="width:35px;">8 </th> <th style="width:30px;">64 </th> <td colspan="32"><i>Sequence Number</i> </td></tr> <tr> <th style="width:35px;"><span style="white-space: nowrap;"><i>12</i></span> </th> <th style="width:30px;"><span style="white-space: nowrap;"><i>96</i></span> </th> <td colspan="32" rowspan="2"><i>Integrity Check Value</i> </td></tr> <tr> <th>&#8942; </th> <th>&#8942; </th></tr></tbody></table> <dl><dt>Next Header&#58; 8 bits</dt> <dd>Type of the next header, indicating what upper-layer protocol was protected. The value is taken from the <a href="/wiki/List_of_IP_protocol_numbers" title="List of IP protocol numbers">list of IP protocol numbers</a>.</dd> <dt>Payload Len&#58; 8 bits</dt> <dd>The length of this <i>Authentication Header</i> in 4-octet units, minus 2. For example, an AH value of 4 equals 3×(32-bit fixed-length AH fields) + 3×(32-bit ICV fields) − 2 and thus an AH value of 4 means 24 octets. Although the size is measured in 4-octet units, the length of this header needs to be a multiple of 8 octets if carried in an IPv6 packet. This restriction does not apply to an <i>Authentication Header</i> carried in an IPv4 packet.</dd> <dt>Reserved&#58; 16 bits</dt> <dd>Reserved for future use (all zeroes until then).</dd> <dt>Security Parameters Index&#58; 32 bits</dt> <dd>Arbitrary value which is used (together with the destination IP address) to identify the <a href="/wiki/Security_association" title="Security association">security association</a> of the receiving party.</dd> <dt><span id="sequence_number">Sequence Number</span>&#58; 32 bits</dt> <dd>A <a href="/wiki/Monotonic" class="mw-redirect" title="Monotonic">monotonic</a> strictly increasing sequence number (incremented by 1 for every packet sent) to prevent <a href="/wiki/Replay_attack" title="Replay attack">replay attacks</a>. When replay detection is enabled, sequence numbers are never reused, because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.<sup id="cite_ref-rfc4302_12-4" class="reference"><a href="#cite_note-rfc4302-12"><span class="cite-bracket">&#91;</span>12<span class="cite-bracket">&#93;</span></a></sup></dd> <dt>Integrity Check Value&#58; multiple of 32 bits</dt> <dd>Variable length check value. It may contain padding to align the field to an 8-octet boundary for <a href="/wiki/IPv6" title="IPv6">IPv6</a>, or a 4-octet boundary for <a href="/wiki/IPv4" title="IPv4">IPv4</a>.</dd></dl> <div class="mw-heading mw-heading3"><h3 id="Encapsulating_Security_Payload">Encapsulating Security Payload</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=4" title="Edit section: Encapsulating Security Payload"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <figure class="mw-default-size" typeof="mw:File/Thumb"><a href="/wiki/File:Ipsec-esp-tunnel-and-transport.svg" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/commons/thumb/6/64/Ipsec-esp-tunnel-and-transport.svg/250px-Ipsec-esp-tunnel-and-transport.svg.png" decoding="async" width="220" height="89" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/6/64/Ipsec-esp-tunnel-and-transport.svg/330px-Ipsec-esp-tunnel-and-transport.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/6/64/Ipsec-esp-tunnel-and-transport.svg/500px-Ipsec-esp-tunnel-and-transport.svg.png 2x" data-file-width="1488" data-file-height="602" /></a><figcaption>Usage of IPsec Encapsulating Security Payload (ESP) in Tunnel and Transport modes</figcaption></figure> <p>The IP Encapsulating Security Payload (ESP)<sup id="cite_ref-22" class="reference"><a href="#cite_note-22"><span class="cite-bracket">&#91;</span>22<span class="cite-bracket">&#93;</span></a></sup> was developed at the <a href="/wiki/Naval_Research_Laboratory" class="mw-redirect" title="Naval Research Laboratory">Naval Research Laboratory</a> starting in 1992 as part of a <a href="/wiki/DARPA" title="DARPA">DARPA</a>-sponsored research project, and was openly published by <a href="/wiki/IETF" class="mw-redirect" title="IETF">IETF</a> SIPP<sup id="cite_ref-23" class="reference"><a href="#cite_note-23"><span class="cite-bracket">&#91;</span>23<span class="cite-bracket">&#93;</span></a></sup> Working Group drafted in December 1993 as a security extension for SIPP. This <a href="#Encapsulating_Security_Payload">ESP</a> was originally derived from the US Department of Defense <a href="/w/index.php?title=SP3D&amp;action=edit&amp;redlink=1" class="new" title="SP3D (page does not exist)">SP3D</a> protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). The SP3D protocol specification was published by <a href="/wiki/NIST" class="mw-redirect" title="NIST">NIST</a> in the late 1980s, but designed by the Secure Data Network System project of the <a href="/wiki/US_Department_of_Defense" class="mw-redirect" title="US Department of Defense">US Department of Defense</a>. Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin <a href="/wiki/Information_security#Authenticity" title="Information security">authenticity</a> through source <a href="/wiki/Authentication" title="Authentication">authentication</a>, <a href="/wiki/Data_integrity" title="Data integrity">data integrity</a> through hash functions and <a href="/wiki/Confidentiality" title="Confidentiality">confidentiality</a> through <a href="/wiki/Encryption" title="Encryption">encryption</a> protection for IP <a href="/wiki/Packet_(information_technology)" class="mw-redirect" title="Packet (information technology)">packets</a>. ESP also supports <a href="/wiki/Encryption" title="Encryption">encryption</a>-only and <a href="/wiki/Authentication" title="Authentication">authentication</a>-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.<sup id="cite_ref-24" class="reference"><a href="#cite_note-24"><span class="cite-bracket">&#91;</span>24<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-25" class="reference"><a href="#cite_note-25"><span class="cite-bracket">&#91;</span>25<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-26" class="reference"><a href="#cite_note-26"><span class="cite-bracket">&#91;</span>26<span class="cite-bracket">&#93;</span></a></sup> </p><p>Unlike <a href="/wiki/Authentication_Header" class="mw-redirect" title="Authentication Header">Authentication Header (AH)</a>, ESP in transport mode does not provide integrity and authentication for the entire <a href="/wiki/IP_packet_(disambiguation)" class="mw-redirect mw-disambig" title="IP packet (disambiguation)">IP packet</a>. However, in <a href="/wiki/Tunneling_protocol" title="Tunneling protocol">tunnel mode</a>, where the entire original IP packet is <a href="/wiki/Information_hiding" title="Information hiding">encapsulated</a> with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. </p><p>ESP operates directly on top of IP, using IP protocol number 50.<sup id="cite_ref-iana_21-1" class="reference"><a href="#cite_note-iana-21"><span class="cite-bracket">&#91;</span>21<span class="cite-bracket">&#93;</span></a></sup> </p><p>The following ESP packet diagram shows how an ESP packet is constructed and interpreted:<sup id="cite_ref-rfc4303_27-0" class="reference"><a href="#cite_note-rfc4303-27"><span class="cite-bracket">&#91;</span>27<span class="cite-bracket">&#93;</span></a></sup> </p> <table class="wikitable" style="text-align: center; border: none;"> <caption>Encapsulating Security Payload format </caption> <tbody><tr> <th style="min-width:42px; border-bottom:none; border-right:none;"><i>Offset</i> </th> <th style="border-left:none;"><a href="/wiki/Octet_(computing)" title="Octet (computing)">Octet</a> </th> <th colspan="8">0 </th> <th colspan="8">1 </th> <th colspan="8">2 </th> <th colspan="8">3 </th></tr> <tr> <th style="min-width: 42px;border-top: none;">Octet </th> <th style="min-width: 42px;"><a href="/wiki/Bit" title="Bit">Bit</a> </th> <th style="min-width:11px;">0 </th> <th style="min-width:11px;">1 </th> <th style="min-width:11px;">2 </th> <th style="min-width:11px;">3 </th> <th style="min-width:11px;">4 </th> <th style="min-width:11px;">5 </th> <th style="min-width:11px;">6 </th> <th style="min-width:11px;">7 </th> <th style="min-width:11px;">8 </th> <th style="min-width:11px;">9 </th> <th style="min-width:16px;">10 </th> <th style="min-width:16px;">11 </th> <th style="min-width:16px;">12 </th> <th style="min-width:16px;">13 </th> <th style="min-width:16px;">14 </th> <th style="min-width:16px;">15 </th> <th style="min-width:16px;">16 </th> <th style="min-width:16px;">17 </th> <th style="min-width:16px;">18 </th> <th style="min-width:16px;">19 </th> <th style="min-width:16px;">20 </th> <th style="min-width:16px;">21 </th> <th style="min-width:16px;">22 </th> <th style="min-width:16px;">23 </th> <th style="min-width:16px;">24 </th> <th style="min-width:16px;">25 </th> <th style="min-width:16px;">26 </th> <th style="min-width:16px;">27 </th> <th style="min-width:16px;">28 </th> <th style="min-width:16px;">29 </th> <th style="min-width:16px;">30 </th> <th style="min-width:16px;">31 </th></tr> <tr> <th style="width:35px;">0 </th> <th style="width:30px;">0 </th> <td colspan="32"><i>Security Parameters Index</i> </td></tr> <tr> <th style="width:35px;">4 </th> <th style="width:30px;">32 </th> <td colspan="32"><i>Sequence Number</i> </td></tr> <tr> <th style="width:35px;"><span style="white-space: nowrap;"><i>8</i></span> </th> <th style="width:30px;"><span style="white-space: nowrap;"><i>64</i></span> </th> <td colspan="32" rowspan="2" style="background: mistyrose;border-bottom: none;"><i>Payload Data</i> </td></tr> <tr> <th>&#8942; </th> <th>&#8942; </th></tr> <tr> <th style="width:35px;">&#8942; </th> <th style="width:30px;">&#8942; </th> <td colspan="8" style="background: mistyrose;border-top: none;"><i><span class="nowrap">&#160;</span></i> </td> <td colspan="24" style="background: linen;border-bottom: none;"><i><span class="nowrap">&#160;</span></i> </td></tr> <tr> <th style="width:35px;">&#8942; </th> <th style="width:30px;">&#8942; </th> <td colspan="32" style="background: linen;border-top: none; border-bottom: none;"><i>(Padding)</i> </td></tr> <tr> <th style="width:35px;">&#8942; </th> <th style="width:30px;">&#8942; </th> <td colspan="16" style="background: linen;border-top: none;"><i><span class="nowrap">&#160;</span></i> </td> <td colspan="8"><i>Pad Length</i> </td> <td colspan="8"><i>Next Header</i> </td></tr> <tr> <th style="width:35px;">&#8942; </th> <th style="width:30px;">&#8942; </th> <td colspan="32" rowspan="2"><i>Integrity Check Value<br />⋮</i> </td></tr> <tr> <th>&#8942; </th> <th>&#8942; </th></tr></tbody></table> <dl><dt>Security Parameters Index<span class="nowrap">&#160;</span>(SPI)&#58; 32 bits</dt> <dd>Arbitrary value used (together with the destination IP address) to identify the <a href="/wiki/Security_association" title="Security association">security association</a> of the receiving party.</dd> <dt>Sequence Number&#58; 32 bits</dt> <dd>A <a href="/wiki/Monotonic" class="mw-redirect" title="Monotonic">monotonically</a> increasing sequence number (incremented by 1 for every packet sent) to protect against <a href="/wiki/Replay_attack" title="Replay attack">replay attacks</a>. There is a separate counter kept for every security association.</dd> <dt>Payload Data&#58; variable</dt> <dd>The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the <i>Next Header</i> field.</dd> <dt>Padding&#58; 0-255 octets</dt> <dd>Optional. Padding for encryption, to extend the payload data to a size that fits the encryption's <a href="/wiki/Block_cipher" title="Block cipher">cipher</a> <a href="/wiki/Block_size_(cryptography)" title="Block size (cryptography)">block size</a>, and to align the next field.</dd> <dt>Pad Length&#58; 8 bits</dt> <dd>Size of the padding (in octets).</dd> <dt>Next Header&#58; 8 bits</dt> <dd>Indicates the <a href="/wiki/List_of_IP_protocol_numbers" title="List of IP protocol numbers">protocol type</a> of the <i>Payload Data</i>,<sup id="cite_ref-rfc4303_27-1" class="reference"><a href="#cite_note-rfc4303-27"><span class="cite-bracket">&#91;</span>27<span class="cite-bracket">&#93;</span></a></sup><sup class="reference nowrap"><span title="Location: §2.6">&#58;&#8202;§2.6&#8202;</span></sup> like the value <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r886049734" /><span class="monospaced">6</span> for <a href="/wiki/Transmission_Control_Protocol" title="Transmission Control Protocol">TCP</a>. As ESP is an encapsulation protocol, a value of <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r886049734" /><span class="monospaced">4</span> is also possible, indicating <a href="/wiki/IP_in_IP" title="IP in IP">IP in IP</a>. A value of <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r886049734" /><span class="monospaced">41</span> indicates <a href="/wiki/IPv6" title="IPv6">IPv6</a> encapsulated in <a href="/wiki/IPv4" title="IPv4">IPv4</a>, e.g. <a href="/wiki/6to4" title="6to4">6to4</a>. The value <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r886049734" /><span class="monospaced">59</span> (meaning: <i>No Next Header</i>) is used for dummy packets, which may be inserted in the stream, and which contents should be discarded.</dd> <dt>Integrity Check Value<span class="nowrap">&#160;</span>(ICV)&#58; variable</dt> <dd>Variable length check value. It may contain padding to align the field to an 8-octet boundary for <a href="/wiki/IPv6" title="IPv6">IPv6</a>, or a 4-octet boundary for <a href="/wiki/IPv4" title="IPv4">IPv4</a>.</dd></dl> <div class="mw-heading mw-heading3"><h3 id="Security_association">Security association</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=5" title="Edit section: Security association"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Security_association" title="Security association">Security association</a></div> <p>The IPsec protocols use a <a href="/wiki/Security_association" title="Security association">security association</a>, where the communicating parties establish shared security attributes such as <a href="/wiki/Algorithms" class="mw-redirect" title="Algorithms">algorithms</a> and keys. As such, IPsec provides a range of options once it has been determined whether AH or ESP is used. Before exchanging data, the two hosts agree on which <a href="/wiki/Symmetric-key_algorithm" title="Symmetric-key algorithm">symmetric encryption algorithm</a> is used to encrypt the IP packet, for example <a href="/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">AES</a> or <a href="/wiki/ChaCha20" class="mw-redirect" title="ChaCha20">ChaCha20</a>, and which hash function is used to ensure the integrity of the data, such as <a href="/wiki/BLAKE2" class="mw-redirect" title="BLAKE2">BLAKE2</a> or <a href="/wiki/SHA-2" title="SHA-2">SHA256</a>. These parameters are agreed for the particular session, for which a lifetime must be agreed and a <a href="/wiki/Session_key" title="Session key">session key</a>.<sup id="cite_ref-28" class="reference"><a href="#cite_note-28"><span class="cite-bracket">&#91;</span>28<span class="cite-bracket">&#93;</span></a></sup> </p><p>The algorithm for authentication is also agreed before the data transfer takes place and IPsec supports a range of methods. Authentication is possible through <a href="/wiki/Pre-shared_key" title="Pre-shared key">pre-shared key</a>, where a <a href="/wiki/Symmetric_key" class="mw-redirect" title="Symmetric key">symmetric key</a> is already in the possession of both hosts, and the hosts send each other hashes of the shared key to prove that they are in possession of the same key. IPsec also supports <a href="/wiki/Public_key_encryption" class="mw-redirect" title="Public key encryption">public key encryption</a>, where each host has a public and a private key, they exchange their public keys and each host sends the other a <a href="/wiki/Cryptographic_nonce" title="Cryptographic nonce">nonce</a> encrypted with the other host's public key. Alternatively if both hosts hold a <a href="/wiki/Public_key_certificate" title="Public key certificate">public key certificate</a> from a <a href="/wiki/Certificate_authority" title="Certificate authority">certificate authority</a>, this can be used for IPsec authentication.<sup id="cite_ref-29" class="reference"><a href="#cite_note-29"><span class="cite-bracket">&#91;</span>29<span class="cite-bracket">&#93;</span></a></sup> </p><p>The security associations of IPsec are established using the <a href="/wiki/Internet_Security_Association_and_Key_Management_Protocol" title="Internet Security Association and Key Management Protocol">Internet Security Association and Key Management Protocol</a> (ISAKMP). ISAKMP is implemented by manual configuration with pre-shared secrets, <a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">Internet Key Exchange</a> (IKE and IKEv2), <a href="/wiki/Kerberized_Internet_Negotiation_of_Keys" title="Kerberized Internet Negotiation of Keys">Kerberized Internet Negotiation of Keys</a> (KINK), and the use of IPSECKEY <a href="/wiki/List_of_DNS_record_types" title="List of DNS record types">DNS records</a>.<sup id="cite_ref-rfc4025_17-1" class="reference"><a href="#cite_note-rfc4025-17"><span class="cite-bracket">&#91;</span>17<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-rfc2406_1-2" class="reference"><a href="#cite_note-rfc2406-1"><span class="cite-bracket">&#91;</span>1<span class="cite-bracket">&#93;</span></a></sup><sup class="reference nowrap"><span title="Location: §1">&#58;&#8202;§1&#8202;</span></sup><sup id="cite_ref-rfc3129_30-0" class="reference"><a href="#cite_note-rfc3129-30"><span class="cite-bracket">&#91;</span>30<span class="cite-bracket">&#93;</span></a></sup> RFC 5386 defines Better-Than-Nothing Security (BTNS) as an unauthenticated mode of IPsec using an extended IKE protocol. C. Meadows, C. Cremers, and others have used <a href="/wiki/Formal_Methods" class="mw-redirect" title="Formal Methods">formal methods</a> to identify various anomalies which exist in IKEv1 and also in IKEv2.<sup id="cite_ref-31" class="reference"><a href="#cite_note-31"><span class="cite-bracket">&#91;</span>31<span class="cite-bracket">&#93;</span></a></sup> </p><p>In order to decide what protection is to be provided for an outgoing packet, IPsec uses the <a href="/wiki/Security_Parameter_Index" title="Security Parameter Index">Security Parameter Index</a> (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identifies a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database. </p><p>For <a href="/wiki/IP_multicast" title="IP multicast">IP multicast</a> a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice. </p> <div class="mw-heading mw-heading2"><h2 id="Keepalives">Keepalives</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=6" title="Edit section: Keepalives"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>To ensure that the connection between two endpoints has not been interrupted, endpoints exchange <a href="/wiki/Keepalive" title="Keepalive">keepalive</a> messages at regular intervals, which can also be used to automatically reestablish a tunnel lost due to connection interruption. </p><p>Dead Peer Detection (DPD) is a method of detecting a dead <a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">Internet Key Exchange</a> (IKE) peer. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer. DPD is used to reclaim the lost resources in case a peer is found dead and it is also used to perform IKE peer failover. </p><p>UDP keepalive is an alternative to DPD. </p> <div class="mw-heading mw-heading2"><h2 id="Modes_of_operation">Modes of operation</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=7" title="Edit section: Modes of operation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The IPsec protocols AH and ESP can be implemented in a host-to-host transport mode, as well as in a network tunneling mode. </p> <figure class="mw-default-size" typeof="mw:File/Thumb"><a href="/wiki/File:Ipsec-modes.svg" class="mw-file-description"><img src="//upload.wikimedia.org/wikipedia/commons/thumb/6/6b/Ipsec-modes.svg/250px-Ipsec-modes.svg.png" decoding="async" width="220" height="87" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/6/6b/Ipsec-modes.svg/330px-Ipsec-modes.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/6/6b/Ipsec-modes.svg/500px-Ipsec-modes.svg.png 2x" data-file-width="720" data-file-height="285" /></a><figcaption>IPsec Modes</figcaption></figure> <div class="mw-heading mw-heading3"><h3 id="Transport_mode">Transport mode</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=8" title="Edit section: Transport mode"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In transport mode, only the payload of the IP packet is usually <a href="/wiki/Encrypted" class="mw-redirect" title="Encrypted">encrypted</a> or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the <a href="/wiki/Authentication_Header" class="mw-redirect" title="Authentication Header">authentication header</a> is used, the IP addresses cannot be modified by <a href="/wiki/Network_address_translation" title="Network address translation">network address translation</a>, as this always invalidates the <a href="/wiki/Hash_value" class="mw-redirect" title="Hash value">hash value</a>. The <a href="/wiki/Transport_layer" title="Transport layer">transport</a> and <a href="/wiki/Application_layer" title="Application layer">application</a> layers are always secured by a hash, so they cannot be modified in any way, for example by <a href="/wiki/Port_address_translation" class="mw-redirect" title="Port address translation">translating</a> the <a href="/wiki/TCP_and_UDP_port" class="mw-redirect" title="TCP and UDP port">port</a> numbers. </p><p>A means to encapsulate IPsec messages for <a href="/wiki/NAT_traversal" title="NAT traversal">NAT traversal</a> (NAT-T) has been defined by <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> documents describing the NAT-T mechanism. </p> <div class="mw-heading mw-heading3"><h3 id="Tunnel_mode">Tunnel mode</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=9" title="Edit section: Tunnel mode"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create <a href="/wiki/Virtual_private_network" title="Virtual private network">virtual private networks</a> for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).<sup id="cite_ref-32" class="reference"><a href="#cite_note-32"><span class="cite-bracket">&#91;</span>32<span class="cite-bracket">&#93;</span></a></sup> </p><p>Tunnel mode supports NAT traversal. </p> <div class="mw-heading mw-heading2"><h2 id="Algorithms">Algorithms</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=10" title="Edit section: Algorithms"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <div class="mw-heading mw-heading3"><h3 id="Symmetric_encryption_algorithms">Symmetric encryption algorithms</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=11" title="Edit section: Symmetric encryption algorithms"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Cryptographic algorithms defined for use with IPsec include: </p> <ul><li><a href="/wiki/HMAC" title="HMAC">HMAC</a>-<a href="/wiki/SHA1" class="mw-redirect" title="SHA1">SHA1</a>/<a href="/wiki/SHA2" class="mw-redirect" title="SHA2">SHA2</a> for integrity protection and authenticity.</li> <li><a href="/wiki/TripleDES" class="mw-redirect" title="TripleDES">TripleDES</a>-<a href="/wiki/Cipher_block_chaining" class="mw-redirect" title="Cipher block chaining">CBC</a> for confidentiality</li> <li>AES-<a href="/wiki/Cipher_block_chaining" class="mw-redirect" title="Cipher block chaining">CBC</a> and <a href="/wiki/AES-CTR" class="mw-redirect" title="AES-CTR">AES-CTR</a> for confidentiality.</li> <li><a href="/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">AES</a>-<a href="/wiki/Galois/Counter_Mode" title="Galois/Counter Mode">GCM</a> and <a href="/wiki/ChaCha20-Poly1305" title="ChaCha20-Poly1305">ChaCha20-Poly1305</a> providing confidentiality and authentication together efficiently.</li></ul> <p>Refer to RFC 8221 for details. </p> <div class="mw-heading mw-heading3"><h3 id="Key_exchange_algorithms">Key exchange algorithms</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=12" title="Edit section: Key exchange algorithms"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Diffie%E2%80%93Hellman_key_exchange" title="Diffie–Hellman key exchange">Diffie–Hellman</a> (RFC 3526)</li> <li><a href="/wiki/Elliptic-curve_Diffie%E2%80%93Hellman" title="Elliptic-curve Diffie–Hellman">ECDH</a> (RFC 4753)</li></ul> <div class="mw-heading mw-heading3"><h3 id="Authentication_algorithms">Authentication algorithms</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=13" title="Edit section: Authentication algorithms"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/RSA_(cryptosystem)" class="mw-redirect" title="RSA (cryptosystem)">RSA</a></li> <li><a href="/wiki/ECDSA" class="mw-redirect" title="ECDSA">ECDSA</a> (RFC 4754)</li> <li><a href="/wiki/Pre-shared_key" title="Pre-shared key">PSK</a> (RFC 6617)</li> <li><a href="/wiki/EdDSA" title="EdDSA">EdDSA</a> (RFC 8420)</li></ul> <div class="mw-heading mw-heading2"><h2 id="Implementations">Implementations</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=14" title="Edit section: Implementations"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The IPsec can be implemented in the IP stack of an <a href="/wiki/Operating_system" title="Operating system">operating system</a>. This method of implementation is done for hosts and security gateways. Various IPsec capable IP stacks are available from companies, such as HP or IBM.<sup id="cite_ref-33" class="reference"><a href="#cite_note-33"><span class="cite-bracket">&#91;</span>33<span class="cite-bracket">&#93;</span></a></sup> An alternative is so called <a href="/w/index.php?title=Bump-in-the-stack&amp;action=edit&amp;redlink=1" class="new" title="Bump-in-the-stack (page does not exist)">bump-in-the-stack</a> (BITS) implementation, where the operating system source code does not have to be modified. Here IPsec is installed between the IP stack and the network <a href="/wiki/Device_driver" title="Device driver">drivers</a>. This way operating systems can be retrofitted with IPsec. This method of implementation is also used for both hosts and gateways. However, when retrofitting IPsec the encapsulation of IP packets may cause problems for the automatic <a href="/wiki/Path_MTU_discovery" class="mw-redirect" title="Path MTU discovery">path MTU discovery</a>, where the <a href="/wiki/Maximum_transmission_unit" title="Maximum transmission unit">maximum transmission unit</a> (MTU) size on the network path between two IP hosts is established. If a host or gateway has a separate <a href="/wiki/Cryptoprocessor" class="mw-redirect" title="Cryptoprocessor">cryptoprocessor</a>, which is common in the military and can also be found in commercial systems, a so-called <a href="/wiki/Bump-in-the-wire" title="Bump-in-the-wire">bump-in-the-wire</a> (BITW) implementation of IPsec is possible.<sup id="cite_ref-34" class="reference"><a href="#cite_note-34"><span class="cite-bracket">&#91;</span>34<span class="cite-bracket">&#93;</span></a></sup> </p><p>When IPsec is implemented in the <a href="/wiki/Kernel_(operating_system)" title="Kernel (operating system)">kernel</a>, the key management and <a href="/wiki/ISAKMP" class="mw-redirect" title="ISAKMP">ISAKMP</a>/<a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">IKE</a> negotiation is carried out from user space. The NRL-developed and openly specified "PF_KEY Key Management API, Version 2" is often used to enable the application-space key management application to update the IPsec security associations stored within the kernel-space IPsec implementation.<sup id="cite_ref-rfc2367_35-0" class="reference"><a href="#cite_note-rfc2367-35"><span class="cite-bracket">&#91;</span>35<span class="cite-bracket">&#93;</span></a></sup> Existing IPsec implementations usually include ESP, AH, and IKE version 2. Existing IPsec implementations on <a href="/wiki/Unix-like_operating_system" class="mw-redirect" title="Unix-like operating system">Unix-like operating systems</a>, for example, <a href="/wiki/Oracle_Solaris" title="Oracle Solaris">Solaris</a> or <a href="/wiki/Linux" title="Linux">Linux</a>, usually include PF_KEY version 2. </p><p><a href="/wiki/Embedded_system" title="Embedded system">Embedded</a> IPsec can be used to ensure the secure communication among applications running over constrained resource systems with a small overhead.<sup id="cite_ref-36" class="reference"><a href="#cite_note-36"><span class="cite-bracket">&#91;</span>36<span class="cite-bracket">&#93;</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Standards_status">Standards status</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=15" title="Edit section: Standards status"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>IPsec was developed in conjunction with <a href="/wiki/IPv6" title="IPv6">IPv6</a> and was originally required to be supported by all standards-compliant implementations of <a href="/wiki/IPv6" title="IPv6">IPv6</a> before RFC 6434 made it only a recommendation.<sup id="cite_ref-rfc6434_37-0" class="reference"><a href="#cite_note-rfc6434-37"><span class="cite-bracket">&#91;</span>37<span class="cite-bracket">&#93;</span></a></sup> IPsec is also optional for <a href="/wiki/IPv4" title="IPv4">IPv4</a> implementations. IPsec is most commonly used to secure IPv4 traffic.<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">&#91;<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (January 2019)">citation needed</span></a></i>&#93;</sup> </p><p>IPsec protocols were originally defined in RFC 1825 through RFC 1829, which were published in 1995. In 1998, these documents were superseded by RFC 2401 and RFC 2412 with a few incompatible engineering details, although they were conceptually identical. In addition, a mutual authentication and key exchange protocol <a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">Internet Key Exchange</a> (IKE) was defined to create and manage security associations. In December 2005, new standards were defined in RFC 4301 and RFC 4309 which are largely a superset of the previous editions with a second version of the Internet Key Exchange standard <a href="/wiki/IKEv2" class="mw-redirect" title="IKEv2">IKEv2</a>. These third-generation documents standardized the abbreviation of IPsec to uppercase "IP" and lowercase "sec". "ESP" generally refers to RFC 4303, which is the most recent version of the specification. </p><p>Since mid-2008, an IPsec Maintenance and Extensions (ipsecme) working group is active at the IETF.<sup id="cite_ref-38" class="reference"><a href="#cite_note-38"><span class="cite-bracket">&#91;</span>38<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-39" class="reference"><a href="#cite_note-39"><span class="cite-bracket">&#91;</span>39<span class="cite-bracket">&#93;</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Alleged_NSA_interference">Alleged NSA interference</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=16" title="Edit section: Alleged NSA interference"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In 2013, as part of <a href="/wiki/Global_surveillance_disclosures_(2013%E2%80%93present)" class="mw-redirect" title="Global surveillance disclosures (2013–present)">Snowden leaks</a>, it was revealed that the US <a href="/wiki/National_Security_Agency" title="National Security Agency">National Security Agency</a> had been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the <a href="/wiki/Bullrun_(code_name)" class="mw-redirect" title="Bullrun (code name)">Bullrun</a> program.<sup id="cite_ref-40" class="reference"><a href="#cite_note-40"><span class="cite-bracket">&#91;</span>40<span class="cite-bracket">&#93;</span></a></sup> There are allegations that IPsec was a targeted encryption system.<sup id="cite_ref-gilmore_bullrun_41-0" class="reference"><a href="#cite_note-gilmore_bullrun-41"><span class="cite-bracket">&#91;</span>41<span class="cite-bracket">&#93;</span></a></sup> </p><p>The OpenBSD IPsec stack came later on and also was widely copied. In a letter which <a href="/wiki/OpenBSD" title="OpenBSD">OpenBSD</a> lead developer <a href="/wiki/Theo_de_Raadt" title="Theo de Raadt">Theo de Raadt</a> received on 11 Dec 2010 from Gregory Perry, it is alleged that Jason Wright and others, working for the FBI, inserted "a number of <a href="/wiki/Backdoor_(computing)" title="Backdoor (computing)">backdoors</a> and <a href="/wiki/Side_channel" class="mw-redirect" title="Side channel">side channel</a> key leaking mechanisms" into the OpenBSD crypto code. In the forwarded email from 2010, Theo de Raadt did not at first express an official position on the validity of the claims, apart from the implicit endorsement from forwarding the email.<sup id="cite_ref-42" class="reference"><a href="#cite_note-42"><span class="cite-bracket">&#91;</span>42<span class="cite-bracket">&#93;</span></a></sup> Jason Wright's response to the allegations: "Every urban legend is made more real by the inclusion of real names, dates, and times. Gregory Perry's email falls into this category. ... I will state clearly that I did not add backdoors to the OpenBSD operating system or the <a href="/wiki/OpenBSD_Cryptographic_Framework" title="OpenBSD Cryptographic Framework">OpenBSD Cryptographic Framework</a> (OCF)."<sup id="cite_ref-43" class="reference"><a href="#cite_note-43"><span class="cite-bracket">&#91;</span>43<span class="cite-bracket">&#93;</span></a></sup> Some days later, de Raadt commented that "I believe that NETSEC was probably contracted to write backdoors as alleged. ... If those were written, I don't believe they made it into our tree."<sup id="cite_ref-44" class="reference"><a href="#cite_note-44"><span class="cite-bracket">&#91;</span>44<span class="cite-bracket">&#93;</span></a></sup> This was published before the Snowden leaks. </p><p>An alternative explanation put forward by the authors of the <a href="/wiki/Logjam_(computer_security)" title="Logjam (computer security)">Logjam attack</a> suggests that the NSA compromised IPsec VPNs by undermining the <a href="/wiki/Diffie-Hellman" class="mw-redirect" title="Diffie-Hellman">Diffie-Hellman</a> algorithm used in the key exchange. In their paper,<sup id="cite_ref-weakdh_45-0" class="reference"><a href="#cite_note-weakdh-45"><span class="cite-bracket">&#91;</span>45<span class="cite-bracket">&#93;</span></a></sup> they allege the NSA specially built a computing cluster to precompute multiplicative subgroups for specific primes and generators, such as for the second Oakley group defined in RFC 2409. As of May 2015, 90% of addressable IPsec VPNs supported the second Oakley group as part of IKE. If an organization were to precompute this group, they could derive the keys being exchanged and decrypt traffic without inserting any software backdoors. </p><p>A second alternative explanation that was put forward was that the <a href="/wiki/Equation_Group" title="Equation Group">Equation Group</a> used <a href="/wiki/Zero-day_(computing)" class="mw-redirect" title="Zero-day (computing)">zero-day exploits</a> against several manufacturers' VPN equipment which were validated by <a href="/wiki/Kaspersky_Lab" title="Kaspersky Lab">Kaspersky Lab</a> as being tied to the Equation Group<sup id="cite_ref-46" class="reference"><a href="#cite_note-46"><span class="cite-bracket">&#91;</span>46<span class="cite-bracket">&#93;</span></a></sup> and validated by those manufacturers as being real exploits, some of which were zero-day exploits at the time of their exposure.<sup id="cite_ref-47" class="reference"><a href="#cite_note-47"><span class="cite-bracket">&#91;</span>47<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-48" class="reference"><a href="#cite_note-48"><span class="cite-bracket">&#91;</span>48<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-49" class="reference"><a href="#cite_note-49"><span class="cite-bracket">&#91;</span>49<span class="cite-bracket">&#93;</span></a></sup> The <a href="/wiki/Cisco_PIX#Security_vulnerabilities" title="Cisco PIX">Cisco PIX and ASA</a> firewalls had vulnerabilities that were used for wiretapping by the NSA<sup class="noprint Inline-Template Template-Fact" style="white-space:nowrap;">&#91;<i><a href="/wiki/Wikipedia:Citation_needed" title="Wikipedia:Citation needed"><span title="This claim needs references to reliable sources. (April 2020)">citation needed</span></a></i>&#93;</sup>. </p><p>Furthermore, IPsec VPNs using "Aggressive Mode" settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline <a href="/wiki/Dictionary_attack" title="Dictionary attack">dictionary attacks</a>.<sup id="cite_ref-weakdh_45-1" class="reference"><a href="#cite_note-weakdh-45"><span class="cite-bracket">&#91;</span>45<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-50" class="reference"><a href="#cite_note-50"><span class="cite-bracket">&#91;</span>50<span class="cite-bracket">&#93;</span></a></sup><sup id="cite_ref-51" class="reference"><a href="#cite_note-51"><span class="cite-bracket">&#91;</span>51<span class="cite-bracket">&#93;</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=17" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Dynamic_Multipoint_Virtual_Private_Network" title="Dynamic Multipoint Virtual Private Network">Dynamic Multipoint Virtual Private Network</a></li> <li><a href="/wiki/Information_security" title="Information security">Information security</a></li> <li><a href="/wiki/NAT_traversal" title="NAT traversal">NAT traversal</a></li> <li><a href="/wiki/Opportunistic_encryption" title="Opportunistic encryption">Opportunistic encryption</a></li> <li><a href="/wiki/Tcpcrypt" title="Tcpcrypt">tcpcrypt</a></li> <li><a href="/wiki/Tunneling_protocol" title="Tunneling protocol">Tunneling protocol</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=18" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist reflist-columns references-column-width" style="column-width: 30em;"> <ol class="references"> <li id="cite_note-rfc2406-1"><span class="mw-cite-backlink">^ <a href="#cite_ref-rfc2406_1-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-rfc2406_1-1">^{<i><b>b</b></i>}</a> <a href="#cite_ref-rfc2406_1-2">^{<i><b>c</b></i>}</a></span> <span class="reference-text"><style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><cite id="CITEREFD._HarkinsR._Atkinson1998" class="citation cs1">D. Harkins; R. Atkinson (November 1998). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2406"><i>IP Encapsulating Security Payload (ESP)</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC2406">10.17487/RFC2406</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2406">2406</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=IP+Encapsulating+Security+Payload+%28ESP%29&amp;rft.pub=Network+Working+Group&amp;rft.date=1998-11&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC2406&amp;rft.au=D.+Harkins&amp;rft.au=R.+Atkinson&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc2406&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Obsolete.</i> Obsoleted by <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4303">4303</a>, <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4305">4305</a>. Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1827">1827</a>. </span> </li> <li id="cite_note-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-2">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.schneier.com/academic/archives/2003/12/a_cryptographic_eval.html">"A Cryptographic Evaluation of IPsec"</a>. <i>Schneier on Security</i>. December 2003<span class="reference-accessdate">. Retrieved <span class="nowrap">2024-12-01</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=Schneier+on+Security&amp;rft.atitle=A+Cryptographic+Evaluation+of+IPsec&amp;rft.date=2003-12&amp;rft_id=https%3A%2F%2Fwww.schneier.com%2Facademic%2Farchives%2F2003%2F12%2Fa_cryptographic_eval.html&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDhallDhallBatraRani2012" class="citation book cs1">Dhall, Hitesh; Dhall, Dolly; Batra, Sonia; Rani, Pooja (2012). <a rel="nofollow" class="external text" href="https://ieeexplore.ieee.org/document/6168355">"Implementation of IPSec Protocol"</a>. <i>2012 Second International Conference on Advanced Computing &amp; Communication Technologies</i>. <a href="/wiki/IEEE" class="mw-redirect" title="IEEE">IEEE</a>. pp.&#160;<span class="nowrap">176–</span>181. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2FACCT.2012.64">10.1109/ACCT.2012.64</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/978-1-4673-0471-9" title="Special:BookSources/978-1-4673-0471-9"><bdi>978-1-4673-0471-9</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a>&#160;<a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:16526652">16526652</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=bookitem&amp;rft.atitle=Implementation+of+IPSec+Protocol&amp;rft.btitle=2012+Second+International+Conference+on+Advanced+Computing+%26+Communication+Technologies&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E176-%3C%2Fspan%3E181&amp;rft.pub=IEEE&amp;rft.date=2012&amp;rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A16526652%23id-name%3DS2CID&amp;rft_id=info%3Adoi%2F10.1109%2FACCT.2012.64&amp;rft.isbn=978-1-4673-0471-9&amp;rft.aulast=Dhall&amp;rft.aufirst=Hitesh&amp;rft.au=Dhall%2C+Dolly&amp;rft.au=Batra%2C+Sonia&amp;rft.au=Rani%2C+Pooja&amp;rft_id=https%3A%2F%2Fieeexplore.ieee.org%2Fdocument%2F6168355&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-4"><span class="mw-cite-backlink"><b><a href="#cite_ref-4">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGilmore" class="citation web cs1">Gilmore, John. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20140903145752/http://www.toad.com/gnu/netcrypt.html">"Network Encryption – history and patents"</a>. Archived from <a rel="nofollow" class="external text" href="http://www.toad.com/gnu/netcrypt.html">the original</a> on 2014-09-03<span class="reference-accessdate">. Retrieved <span class="nowrap">2014-02-18</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=Network+Encryption+%E2%80%93+history+and+patents&amp;rft.aulast=Gilmore&amp;rft.aufirst=John&amp;rft_id=http%3A%2F%2Fwww.toad.com%2Fgnu%2Fnetcrypt.html&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-MIT-5"><span class="mw-cite-backlink">^ <a href="#cite_ref-MIT_5-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-MIT_5-1">^{<i><b>b</b></i>}</a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.mit.edu/network/isakmp/">"IPv6 + IPSEC + ISAKMP Distribution Page"</a>. <i>web.mit.edu</i>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=web.mit.edu&amp;rft.atitle=IPv6+%2B+IPSEC+%2B+ISAKMP+Distribution+Page&amp;rft_id=https%3A%2F%2Fweb.mit.edu%2Fnetwork%2Fisakmp%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-6"><span class="mw-cite-backlink"><b><a href="#cite_ref-6">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.usenix.org/legacy/publications/library/proceedings/sd96/atkinson.html">"USENIX 1996 ANNUAL TECHNICAL CONFERENCE"</a>. <i>www.usenix.org</i>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=www.usenix.org&amp;rft.atitle=USENIX+1996+ANNUAL+TECHNICAL+CONFERENCE&amp;rft_id=https%3A%2F%2Fwww.usenix.org%2Flegacy%2Fpublications%2Flibrary%2Fproceedings%2Fsd96%2Fatkinson.html&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-7"><span class="mw-cite-backlink"><b><a href="#cite_ref-7">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/wg/ipsec/history/">"IP Security Protocol (ipsec) -"</a>. <i>datatracker.ietf.org</i>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=datatracker.ietf.org&amp;rft.atitle=IP+Security+Protocol+%28ipsec%29+-&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fipsec%2Fhistory%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-8">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._KentK._Seo2005" class="citation cs1"><a href="/wiki/Stephen_Kent_(network_security)" title="Stephen Kent (network security)">S. Kent</a>; K. Seo (December 2005). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4301"><i>Security Architecture for the Internet Protocol</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4301">10.17487/RFC4301</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4301">4301</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Security+Architecture+for+the+Internet+Protocol&amp;rft.pub=Network+Working+Group&amp;rft.date=2005-12&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4301&amp;rft.au=S.+Kent&amp;rft.au=K.+Seo&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4301&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Proposed Standard.</i> p. 4. Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2401">2401</a>. Updated by <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6040">6040</a> and <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7619">7619</a>. <q>The spelling "IPsec" is preferred and used throughout this and all related IPsec standards. All other capitalizations of IPsec [...] are deprecated.</q> </span> </li> <li id="cite_note-9"><span class="mw-cite-backlink"><b><a href="#cite_ref-9">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.nrl.navy.mil/itd/sites/www.nrl.navy.mil.itd/files/files/itd_accomp_ipsec.pdf">"NRL ITD Accomplishments - IPSec and IPv6"</a> <span class="cs1-format">(PDF)</span>. <i>US Naval Research Laboratories</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20150915230737/http://www.nrl.navy.mil/itd/sites/www.nrl.navy.mil.itd/files/files/itd_accomp_ipsec.pdf">Archived</a> <span class="cs1-format">(PDF)</span> from the original on 2015-09-15.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=US+Naval+Research+Laboratories&amp;rft.atitle=NRL+ITD+Accomplishments+-+IPSec+and+IPv6&amp;rft_id=https%3A%2F%2Fwww.nrl.navy.mil%2Fitd%2Fsites%2Fwww.nrl.navy.mil.itd%2Ffiles%2Ffiles%2Fitd_accomp_ipsec.pdf&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-rfc6071-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc6071_10-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._FrankelS._Krishnan2011" class="citation cs1">S. Frankel; S. Krishnan (February 2011). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6071"><i>IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap</i></a>. <a href="/wiki/Internet_Engineering_Task_Force" title="Internet Engineering Task Force">Internet Engineering Task Force</a> (IETF). <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC6071">10.17487/RFC6071</a></span>. <a href="/wiki/ISSN_(identifier)" class="mw-redirect" title="ISSN (identifier)">ISSN</a>&#160;<a rel="nofollow" class="external text" href="https://search.worldcat.org/issn/2070-1721">2070-1721</a>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6071">6071</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=IP+Security+%28IPsec%29+and+Internet+Key+Exchange+%28IKE%29+Document+Roadmap&amp;rft.pub=Internet+Engineering+Task+Force+%28IETF%29&amp;rft.date=2011-02&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC6071&amp;rft.issn=2070-1721&amp;rft.au=S.+Frankel&amp;rft.au=S.+Krishnan&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc6071&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Informational.</i> Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2411">2411</a>. </span> </li> <li id="cite_note-rfc4308-11"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc4308_11-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFP._Hoffman2005" class="citation cs1">P. Hoffman (December 2005). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4308"><i>Cryptographic Suites for IPsec</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4308">10.17487/RFC4308</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4308">4308</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Cryptographic+Suites+for+IPsec&amp;rft.pub=Network+Working+Group&amp;rft.date=2005-12&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4308&amp;rft.au=P.+Hoffman&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4308&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Proposed Standard.</i> </span> </li> <li id="cite_note-rfc4302-12"><span class="mw-cite-backlink">^ <a href="#cite_ref-rfc4302_12-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-rfc4302_12-1">^{<i><b>b</b></i>}</a> <a href="#cite_ref-rfc4302_12-2">^{<i><b>c</b></i>}</a> <a href="#cite_ref-rfc4302_12-3">^{<i><b>d</b></i>}</a> <a href="#cite_ref-rfc4302_12-4">^{<i><b>e</b></i>}</a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._Kent2005" class="citation cs1"><a href="/wiki/Stephen_Kent_(network_security)" title="Stephen Kent (network security)">S. Kent</a> (December 2005). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4302"><i>IP Authentication Header</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4302">10.17487/RFC4302</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4302">4302</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=IP+Authentication+Header&amp;rft.pub=Network+Working+Group&amp;rft.date=2005-12&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4302&amp;rft.au=S.+Kent&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4302&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Proposed Standard.</i> Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2402">2402</a>. </span> </li> <li id="cite_note-rfc2409_sec1-13"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc2409_sec1_13-0">^</a></b></span> <span class="reference-text">The <a href="/wiki/Internet_Key_Exchange" title="Internet Key Exchange">Internet Key Exchange</a> (IKE), RFC 2409, §1 Abstract</span> </li> <li id="cite_note-rfc2409-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc2409_14-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._KentD._Carrel1998" class="citation cs1"><a href="/wiki/Stephen_Kent_(network_security)" title="Stephen Kent (network security)">S. Kent</a>; D. Carrel (November 1998). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2409"><i>The Internet Key Exchange (IKE)</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC2409">10.17487/RFC2409</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2409">2409</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=The+Internet+Key+Exchange+%28IKE%29&amp;rft.pub=Network+Working+Group&amp;rft.date=1998-11&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC2409&amp;rft.au=S.+Kent&amp;rft.au=D.+Carrel&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc2409&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Obsolete.</i> Obsoleted by <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4306">4306</a>. Updated by <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4109">4109</a>. </span> </li> <li id="cite_note-rfc4306-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc4306_15-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFC._Kaufman2005" class="citation cs1">C. Kaufman (December 2005). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4306"><i>Internet Key Exchange (IKEv2) Protocol</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4306">10.17487/RFC4306</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4306">4306</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Internet+Key+Exchange+%28IKEv2%29+Protocol&amp;rft.pub=Network+Working+Group&amp;rft.date=2005-12&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4306&amp;rft.au=C.+Kaufman&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4306&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Obsolete.</i> Obsoleted by <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5996">5996</a>. Updated by <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5282">5282</a>. Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2407">2407</a>, <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2409">2409</a> and <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2408">2408</a>. </span> </li> <li id="cite_note-rfc4430-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc4430_16-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._SakaneK._KamadaM._ThomasJ._Vilhuber2006" class="citation cs1">S. Sakane; K. Kamada; M. Thomas; J. Vilhuber (March 2006). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4430"><i>Kerberized Internet Negotiation of Keys (KINK)</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4430">10.17487/RFC4430</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4430">4430</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Kerberized+Internet+Negotiation+of+Keys+%28KINK%29&amp;rft.pub=Network+Working+Group&amp;rft.date=2006-03&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4430&amp;rft.au=S.+Sakane&amp;rft.au=K.+Kamada&amp;rft.au=M.+Thomas&amp;rft.au=J.+Vilhuber&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4430&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Proposed Standard.</i> </span> </li> <li id="cite_note-rfc4025-17"><span class="mw-cite-backlink">^ <a href="#cite_ref-rfc4025_17-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-rfc4025_17-1">^{<i><b>b</b></i>}</a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFM._Richardson2005" class="citation cs1">M. Richardson (March 2005). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4025"><i>A Method for Storing IPsec Keying Material in DNS</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4025">10.17487/RFC4025</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4025">4025</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=A+Method+for+Storing+IPsec+Keying+Material+in+DNS&amp;rft.pub=Network+Working+Group&amp;rft.date=2005-03&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4025&amp;rft.au=M.+Richardson&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4025&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Proposed Standard.</i> </span> </li> <li id="cite_note-18"><span class="mw-cite-backlink"><b><a href="#cite_ref-18">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPeter_Willis2001" class="citation book cs1">Peter Willis (2001). <i>Carrier-Scale IP Networks: Designing and Operating Internet Networks</i>. IET. p.&#160;270. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9780852969823" title="Special:BookSources/9780852969823"><bdi>9780852969823</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Carrier-Scale+IP+Networks%3A+Designing+and+Operating+Internet+Networks&amp;rft.pages=270&amp;rft.pub=IET&amp;rft.date=2001&amp;rft.isbn=9780852969823&amp;rft.au=Peter+Willis&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-rfc4949-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc4949_19-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFR._Shirey2007" class="citation cs1">R. Shirey (August 2007). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4949"><i>Internet Security Glossary, Version 2</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4949">10.17487/RFC4949</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4949">4949</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Internet+Security+Glossary%2C+Version+2&amp;rft.pub=Network+Working+Group&amp;rft.date=2007-08&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4949&amp;rft.au=R.+Shirey&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4949&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Informational.</i> Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2828">2828</a>. </span> </li> <li id="cite_note-rfc1108-20"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc1108_20-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._Kent1991" class="citation cs1"><a href="/wiki/Stephen_Kent_(network_security)" title="Stephen Kent (network security)">S. Kent</a> (November 1991). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1108"><i>U.S. Department of Defense - Security Options for the Internet Protocol</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC1108">10.17487/RFC1108</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1108">1108</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=U.S.+Department+of+Defense+-+Security+Options+for+the+Internet+Protocol&amp;rft.pub=Network+Working+Group&amp;rft.date=1991-11&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC1108&amp;rft.au=S.+Kent&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc1108&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Historic.</i> Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1038">1038</a>. </span> </li> <li id="cite_note-iana-21"><span class="mw-cite-backlink">^ <a href="#cite_ref-iana_21-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-iana_21-1">^{<i><b>b</b></i>}</a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20100529122930/https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml">"Protocol Numbers"</a>. <i>IANA</i>. 2010-05-27. Archived from <a rel="nofollow" class="external text" href="https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml">the original</a> on 2010-05-29.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=IANA&amp;rft.atitle=Protocol+Numbers&amp;rft.date=2010-05-27&amp;rft_id=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fprotocol-numbers%2Fprotocol-numbers.xml&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-22"><span class="mw-cite-backlink"><b><a href="#cite_ref-22">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20160909031941/http://www.toad.com/gnu/draft-ietf-sip-esp-00.txt">"SIPP Encapsulating Security Payload"</a>. IETF SIPP Working Group. 1993. Archived from <a rel="nofollow" class="external text" href="http://www.toad.com/gnu/draft-ietf-sip-esp-00.txt">the original</a> on 2016-09-09<span class="reference-accessdate">. Retrieved <span class="nowrap">2013-08-07</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=SIPP+Encapsulating+Security+Payload&amp;rft.pub=IETF+SIPP+Working+Group&amp;rft.date=1993&amp;rft_id=http%3A%2F%2Fwww.toad.com%2Fgnu%2Fdraft-ietf-sip-esp-00.txt&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-23"><span class="mw-cite-backlink"><b><a href="#cite_ref-23">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDeering1993" class="citation web cs1">Deering, Steve E. (1993). <a rel="nofollow" class="external text" href="http://tools.ietf.org/html/draft-ietf-sipp-spec-00">"Draft SIPP Specification"</a>. IETF. p.&#160;21.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=Draft+SIPP+Specification&amp;rft.pages=21&amp;rft.pub=IETF&amp;rft.date=1993&amp;rft.aulast=Deering&amp;rft.aufirst=Steve+E.&amp;rft_id=http%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-sipp-spec-00&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-24"><span class="mw-cite-backlink"><b><a href="#cite_ref-24">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFBellovin1996" class="citation conference cs1"><a href="/wiki/Steven_M._Bellovin" title="Steven M. Bellovin">Bellovin, Steven M.</a> (1996). <a rel="nofollow" class="external text" href="https://www.cs.columbia.edu/~smb/papers/badesp.ps">"Problem Areas for the IP Security Protocols"</a> <span class="cs1-format">(<a href="/wiki/PostScript" title="PostScript">PostScript</a>)</span>. <i>Proceedings of the Sixth Usenix Unix Security Symposium</i>. San Jose, CA. pp.&#160;<span class="nowrap">1–</span>16<span class="reference-accessdate">. Retrieved <span class="nowrap">2007-07-09</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=conference&amp;rft.atitle=Problem+Areas+for+the+IP+Security+Protocols&amp;rft.btitle=Proceedings+of+the+Sixth+Usenix+Unix+Security+Symposium&amp;rft.place=San+Jose%2C+CA&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E1-%3C%2Fspan%3E16&amp;rft.date=1996&amp;rft.aulast=Bellovin&amp;rft.aufirst=Steven+M.&amp;rft_id=https%3A%2F%2Fwww.cs.columbia.edu%2F~smb%2Fpapers%2Fbadesp.ps&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-25"><span class="mw-cite-backlink"><b><a href="#cite_ref-25">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPatersonYau2006" class="citation conference cs1">Paterson, Kenneth G.; Yau, Arnold K.L. (2006-04-24). <a rel="nofollow" class="external text" href="http://eprint.iacr.org/2005/416">"Cryptography in theory and practice: The case of encryption in IPsec"</a> <span class="cs1-format">(PDF)</span>. <i>Eurocrypt 2006, Lecture Notes in Computer Science Vol. 4004</i>. Berlin. pp.&#160;<span class="nowrap">12–</span>29<span class="reference-accessdate">. Retrieved <span class="nowrap">2007-08-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=conference&amp;rft.atitle=Cryptography+in+theory+and+practice%3A+The+case+of+encryption+in+IPsec&amp;rft.btitle=Eurocrypt+2006%2C+Lecture+Notes+in+Computer+Science+Vol.+4004&amp;rft.place=Berlin&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E12-%3C%2Fspan%3E29&amp;rft.date=2006-04-24&amp;rft.aulast=Paterson&amp;rft.aufirst=Kenneth+G.&amp;rft.au=Yau%2C+Arnold+K.L.&amp;rft_id=http%3A%2F%2Feprint.iacr.org%2F2005%2F416&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-26"><span class="mw-cite-backlink"><b><a href="#cite_ref-26">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFDegabrielePaterson2007" class="citation conference cs1">Degabriele, Jean Paul; Paterson, Kenneth G. (2007-08-09). <a rel="nofollow" class="external text" href="http://eprint.iacr.org/2007/125">"Attacking the IPsec Standards in Encryption-only Configurations"</a> <span class="cs1-format">(PDF)</span>. <i>IEEE Symposium on Security and Privacy, IEEE Computer Society</i>. Oakland, CA. pp.&#160;<span class="nowrap">335–</span>349<span class="reference-accessdate">. Retrieved <span class="nowrap">2007-08-13</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=conference&amp;rft.atitle=Attacking+the+IPsec+Standards+in+Encryption-only+Configurations&amp;rft.btitle=IEEE+Symposium+on+Security+and+Privacy%2C+IEEE+Computer+Society&amp;rft.place=Oakland%2C+CA&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E335-%3C%2Fspan%3E349&amp;rft.date=2007-08-09&amp;rft.aulast=Degabriele&amp;rft.aufirst=Jean+Paul&amp;rft.au=Paterson%2C+Kenneth+G.&amp;rft_id=http%3A%2F%2Feprint.iacr.org%2F2007%2F125&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-rfc4303-27"><span class="mw-cite-backlink">^ <a href="#cite_ref-rfc4303_27-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-rfc4303_27-1">^{<i><b>b</b></i>}</a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFS._Kent2005" class="citation cs1"><a href="/wiki/Stephen_Kent_(network_security)" title="Stephen Kent (network security)">S. Kent</a> (December 2005). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4303"><i>IP Encapsulating Security Payload</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC4303">10.17487/RFC4303</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4303">4303</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=IP+Encapsulating+Security+Payload&amp;rft.pub=Network+Working+Group&amp;rft.date=2005-12&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC4303&amp;rft.au=S.+Kent&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4303&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Proposed Standard.</i> Obsoletes <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2406">2406</a>. </span> </li> <li id="cite_note-28"><span class="mw-cite-backlink"><b><a href="#cite_ref-28">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPeter_Willis2001" class="citation book cs1">Peter Willis (2001). <i>Carrier-Scale IP Networks: Designing and Operating Internet Networks</i>. IET. p.&#160;271. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9780852969823" title="Special:BookSources/9780852969823"><bdi>9780852969823</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Carrier-Scale+IP+Networks%3A+Designing+and+Operating+Internet+Networks&amp;rft.pages=271&amp;rft.pub=IET&amp;rft.date=2001&amp;rft.isbn=9780852969823&amp;rft.au=Peter+Willis&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-29"><span class="mw-cite-backlink"><b><a href="#cite_ref-29">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPeter_Willis2001" class="citation book cs1">Peter Willis (2001). <i>Carrier-Scale IP Networks: Designing and Operating Internet Networks</i>. IET. pp.&#160;<span class="nowrap">272–</span>3. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9780852969823" title="Special:BookSources/9780852969823"><bdi>9780852969823</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Carrier-Scale+IP+Networks%3A+Designing+and+Operating+Internet+Networks&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E272-%3C%2Fspan%3E3&amp;rft.pub=IET&amp;rft.date=2001&amp;rft.isbn=9780852969823&amp;rft.au=Peter+Willis&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-rfc3129-30"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc3129_30-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFM._Thomas2001" class="citation cs1">M. Thomas (June 2001). <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3129"><i>Requirements for Kerberized Internet Negotiation of Keys</i></a>. Network Working Group. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<span class="id-lock-free" title="Freely accessible"><a rel="nofollow" class="external text" href="https://doi.org/10.17487%2FRFC3129">10.17487/RFC3129</a></span>. <a href="/wiki/Request_for_Comments" title="Request for Comments">RFC</a> <a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3129">3129</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Requirements+for+Kerberized+Internet+Negotiation+of+Keys&amp;rft.pub=Network+Working+Group&amp;rft.date=2001-06&amp;rft_id=info%3Adoi%2F10.17487%2F&#82;FC3129&amp;rft.au=M.+Thomas&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc3129&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span> <i>Informational.</i> </span> </li> <li id="cite_note-31"><span class="mw-cite-backlink"><b><a href="#cite_ref-31">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFC._Cremers2011" class="citation book cs1">C. Cremers (2011). <a rel="nofollow" class="external text" href="https://link.springer.com/chapter/10.1007/978-3-642-23822-2_18">"Key Exchange in IPsec Revisited: Formal Analysis of IKEv1 and IKEv2"</a>. <i>Key Exchange in IPsec Revisited: Formal Analysis of IKEv1 and IKEv2, ESORICS 2011</i>. Lecture Notes in Computer Science. Vol.&#160;6879. Springer. pp.&#160;<span class="nowrap">315–</span>334. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1007%2F978-3-642-23822-2_18">10.1007/978-3-642-23822-2_18</a>. <a href="/wiki/Hdl_(identifier)" class="mw-redirect" title="Hdl (identifier)">hdl</a>:<a rel="nofollow" class="external text" href="https://hdl.handle.net/20.500.11850%2F69608">20.500.11850/69608</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9783642238222" title="Special:BookSources/9783642238222"><bdi>9783642238222</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a>&#160;<a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:18222662">18222662</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=bookitem&amp;rft.atitle=Key+Exchange+in+IPsec+Revisited%3A+Formal+Analysis+of+IKEv1+and+IKEv2&amp;rft.btitle=Key+Exchange+in+IPsec+Revisited%3A+Formal+Analysis+of+IKEv1+and+IKEv2%2C+ESORICS+2011&amp;rft.series=Lecture+Notes+in+Computer+Science&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E315-%3C%2Fspan%3E334&amp;rft.pub=Springer&amp;rft.date=2011&amp;rft_id=info%3Ahdl%2F20.500.11850%2F69608&amp;rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A18222662%23id-name%3DS2CID&amp;rft_id=info%3Adoi%2F10.1007%2F978-3-642-23822-2_18&amp;rft.isbn=9783642238222&amp;rft.au=C.+Cremers&amp;rft_id=https%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-642-23822-2_18&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-32"><span class="mw-cite-backlink"><b><a href="#cite_ref-32">^</a></b></span> <span class="reference-text">William, S., &amp; Stallings, W. (2006). Cryptography and Network Security, 4/E. Pearson Education India. p. 492-493</span> </li> <li id="cite_note-33"><span class="mw-cite-backlink"><b><a href="#cite_ref-33">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPeter_Willis2001" class="citation book cs1">Peter Willis (2001). <i>Carrier-Scale IP Networks: Designing and Operating Internet Networks</i>. IET. p.&#160;266. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9780852969823" title="Special:BookSources/9780852969823"><bdi>9780852969823</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Carrier-Scale+IP+Networks%3A+Designing+and+Operating+Internet+Networks&amp;rft.pages=266&amp;rft.pub=IET&amp;rft.date=2001&amp;rft.isbn=9780852969823&amp;rft.au=Peter+Willis&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-34"><span class="mw-cite-backlink"><b><a href="#cite_ref-34">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPeter_Willis2001" class="citation book cs1">Peter Willis (2001). <i>Carrier-Scale IP Networks: Designing and Operating Internet Networks</i>. IET. p.&#160;267. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9780852969823" title="Special:BookSources/9780852969823"><bdi>9780852969823</bdi></a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=book&amp;rft.btitle=Carrier-Scale+IP+Networks%3A+Designing+and+Operating+Internet+Networks&amp;rft.pages=267&amp;rft.pub=IET&amp;rft.date=2001&amp;rft.isbn=9780852969823&amp;rft.au=Peter+Willis&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-rfc2367-35"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc2367_35-0">^</a></b></span> <span class="reference-text">RFC 2367, <i>PF_KEYv2 Key Management API</i>, Dan McDonald, Bao Phan, &amp; Craig Metz (July 1998)</span> </li> <li id="cite_note-36"><span class="mw-cite-backlink"><b><a href="#cite_ref-36">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFHamadPrevelakis2015" class="citation book cs1">Hamad, Mohammad; Prevelakis, Vassilis (2015). "Implementation and performance evaluation of embedded IPsec in microkernel OS". <a rel="nofollow" class="external text" href="https://publikationsserver.tu-braunschweig.de/receive/dbbs_mods_00065815"><i>2015 World Symposium on Computer Networks and Information Security (WSCNIS)</i></a>. IEEE. pp.&#160;<span class="nowrap">1–</span>7. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1109%2Fwscnis.2015.7368294">10.1109/wscnis.2015.7368294</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9781479999064" title="Special:BookSources/9781479999064"><bdi>9781479999064</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a>&#160;<a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:16935000">16935000</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=bookitem&amp;rft.atitle=Implementation+and+performance+evaluation+of+embedded+IPsec+in+microkernel+OS&amp;rft.btitle=2015+World+Symposium+on+Computer+Networks+and+Information+Security+%28WSCNIS%29&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E1-%3C%2Fspan%3E7&amp;rft.pub=IEEE&amp;rft.date=2015&amp;rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A16935000%23id-name%3DS2CID&amp;rft_id=info%3Adoi%2F10.1109%2Fwscnis.2015.7368294&amp;rft.isbn=9781479999064&amp;rft.aulast=Hamad&amp;rft.aufirst=Mohammad&amp;rft.au=Prevelakis%2C+Vassilis&amp;rft_id=https%3A%2F%2Fpublikationsserver.tu-braunschweig.de%2Freceive%2Fdbbs_mods_00065815&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-rfc6434-37"><span class="mw-cite-backlink"><b><a href="#cite_ref-rfc6434_37-0">^</a></b></span> <span class="reference-text">RFC 6434, "IPv6 Node Requirements", E. Jankiewicz, J. Loughney, T. Narten (December 2011)</span> </li> <li id="cite_note-38"><span class="mw-cite-backlink"><b><a href="#cite_ref-38">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://datatracker.ietf.org/wg/ipsecme/charter/">"ipsecme charter"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2015-10-26</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=ipsecme+charter&amp;rft_id=https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fipsecme%2Fcharter%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-39"><span class="mw-cite-backlink"><b><a href="#cite_ref-39">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://tools.ietf.org/wg/ipsecme/">"ipsecme status"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">2015-10-26</span></span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=ipsecme+status&amp;rft_id=https%3A%2F%2Ftools.ietf.org%2Fwg%2Fipsecme%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-40"><span class="mw-cite-backlink"><b><a href="#cite_ref-40">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation news cs1"><a rel="nofollow" class="external text" href="https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html">"Secret Documents Reveal N.S.A. Campaign Against Encryption"</a>. <i>New York Times</i>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=article&amp;rft.jtitle=New+York+Times&amp;rft.atitle=Secret+Documents+Reveal+N.S.A.+Campaign+Against+Encryption&amp;rft_id=https%3A%2F%2Fwww.nytimes.com%2Finteractive%2F2013%2F09%2F05%2Fus%2Fdocuments-reveal-nsa-campaign-against-encryption.html&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-gilmore_bullrun-41"><span class="mw-cite-backlink"><b><a href="#cite_ref-gilmore_bullrun_41-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFJohn_Gilmore" class="citation web cs1">John Gilmore. <a rel="nofollow" class="external text" href="http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html">"Re: &#91;Cryptography&#93; Opening Discussion: Speculation on "BULLRUN"<span class="cs1-kern-right"></span>"</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=Re%3A+%5BCryptography%5D+Opening+Discussion%3A+Speculation+on+%22BULLRUN%22&amp;rft.au=John+Gilmore&amp;rft_id=http%3A%2F%2Fwww.mail-archive.com%2Fcryptography%40metzdowd.com%2Fmsg12325.html&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-42"><span class="mw-cite-backlink"><b><a href="#cite_ref-42">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFTheo_de_Raadt" class="citation web cs1">Theo de Raadt. <a rel="nofollow" class="external text" href="https://marc.info/?l=openbsd-tech&amp;m=129236621626462&amp;w=2">"Allegations regarding OpenBSD IPSEC"</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=Allegations+regarding+OpenBSD+IPSEC&amp;rft.au=Theo+de+Raadt&amp;rft_id=http%3A%2F%2Fmarc.info%2F%3Fl%3Dopenbsd-tech%26m%3D129236621626462%26w%3D2&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-43"><span class="mw-cite-backlink"><b><a href="#cite_ref-43">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFJason_Wright" class="citation web cs1">Jason Wright. <a rel="nofollow" class="external text" href="https://marc.info/?l=openbsd-tech&amp;m=129244045916861&amp;w=2">"Allegations regarding OpenBSD IPSEC"</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=Allegations+regarding+OpenBSD+IPSEC&amp;rft.au=Jason+Wright&amp;rft_id=http%3A%2F%2Fmarc.info%2F%3Fl%3Dopenbsd-tech%26m%3D129244045916861%26w%3D2&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-44"><span class="mw-cite-backlink"><b><a href="#cite_ref-44">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFTheo_de_Raadt" class="citation web cs1">Theo de Raadt. <a rel="nofollow" class="external text" href="https://lwn.net/Articles/420858/">"Update on the OpenBSD IPSEC backdoor allegation"</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=unknown&amp;rft.btitle=Update+on+the+OpenBSD+IPSEC+backdoor+allegation&amp;rft.au=Theo+de+Raadt&amp;rft_id=https%3A%2F%2Flwn.net%2FArticles%2F420858%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-weakdh-45"><span class="mw-cite-backlink">^ <a href="#cite_ref-weakdh_45-0">^{<i><b>a</b></i>}</a> <a href="#cite_ref-weakdh_45-1">^{<i><b>b</b></i>}</a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFAdrianBhargavanDurumericGaudry2015" class="citation book cs1">Adrian, David; Bhargavan, Karthikeyan; Durumeric, Zakir; Gaudry, Pierrick; Green, Matthew; Halderman, J. Alex; Heninger, Nadia; Springall, Drew; Thomé, Emmanuel; Valenta, Luke; Vandersloot, Benjamin; Wustrow, Eric; Zanella-Béguelin, Santiago; Zimmermann, Paul (2015). <a rel="nofollow" class="external text" href="https://doi.org/10.1145/2810103.2813707">"Imperfect Forward Secrecy"</a>. <i>Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security</i>. pp.&#160;<span class="nowrap">5–</span>17. <a href="/wiki/Doi_(identifier)" class="mw-redirect" title="Doi (identifier)">doi</a>:<a rel="nofollow" class="external text" href="https://doi.org/10.1145%2F2810103.2813707">10.1145/2810103.2813707</a>. <a href="/wiki/ISBN_(identifier)" class="mw-redirect" title="ISBN (identifier)">ISBN</a>&#160;<a href="/wiki/Special:BookSources/9781450338325" title="Special:BookSources/9781450338325"><bdi>9781450338325</bdi></a>. <a href="/wiki/S2CID_(identifier)" class="mw-redirect" title="S2CID (identifier)">S2CID</a>&#160;<a rel="nofollow" class="external text" href="https://api.semanticscholar.org/CorpusID:347988">347988</a>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&amp;rft.genre=bookitem&amp;rft.atitle=Imperfect+Forward+Secrecy&amp;rft.btitle=Proceedings+of+the+22nd+ACM+SIGSAC+Conference+on+Computer+and+Communications+Security&amp;rft.pages=%3Cspan+class%3D%22nowrap%22%3E5-%3C%2Fspan%3E17&amp;rft.date=2015&amp;rft_id=https%3A%2F%2Fapi.semanticscholar.org%2FCorpusID%3A347988%23id-name%3DS2CID&amp;rft_id=info%3Adoi%2F10.1145%2F2810103.2813707&amp;rft.isbn=9781450338325&amp;rft.aulast=Adrian&amp;rft.aufirst=David&amp;rft.au=Bhargavan%2C+Karthikeyan&amp;rft.au=Durumeric%2C+Zakir&amp;rft.au=Gaudry%2C+Pierrick&amp;rft.au=Green%2C+Matthew&amp;rft.au=Halderman%2C+J.+Alex&amp;rft.au=Heninger%2C+Nadia&amp;rft.au=Springall%2C+Drew&amp;rft.au=Thom%C3%A9%2C+Emmanuel&amp;rft.au=Valenta%2C+Luke&amp;rft.au=Vandersloot%2C+Benjamin&amp;rft.au=Wustrow%2C+Eric&amp;rft.au=Zanella-B%C3%A9guelin%2C+Santiago&amp;rft.au=Zimmermann%2C+Paul&amp;rft_id=https%3A%2F%2Fdoi.org%2F10.1145%2F2810103.2813707&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-46"><span class="mw-cite-backlink"><b><a href="#cite_ref-46">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFGoodin2016" class="citation news cs1">Goodin, Dan (August 16, 2016). <a rel="nofollow" class="external text" href="https://arstechnica.com/security/2016/08/code-dumped-online-came-from-omnipotent-nsa-tied-hacking-group/">"Confirmed: hacking tool leak came from "omnipotent" NSA-tied group"</a>. <i>Ars Technica</i><span class="reference-accessdate">. Retrieved <span class="nowrap">August 19,</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=article&amp;rft.jtitle=Ars+Technica&amp;rft.atitle=Confirmed%3A+hacking+tool+leak+came+from+%22omnipotent%22+NSA-tied+group&amp;rft.date=2016-08-16&amp;rft.aulast=Goodin&amp;rft.aufirst=Dan&amp;rft_id=https%3A%2F%2Farstechnica.com%2Fsecurity%2F2016%2F08%2Fcode-dumped-online-came-from-omnipotent-nsa-tied-hacking-group%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-47"><span class="mw-cite-backlink"><b><a href="#cite_ref-47">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFThomson2016" class="citation news cs1">Thomson, Iain (August 17, 2016). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2016/08/17/cisco_two_shadow_brokers_vulnerabilities_real/">"Cisco confirms two of the Shadow Brokers' 'NSA' vulns are real"</a>. <i><a href="/wiki/The_Register" title="The Register">The Register</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">September 16,</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=article&amp;rft.jtitle=The+Register&amp;rft.atitle=Cisco+confirms+two+of+the+Shadow+Brokers%27+%27NSA%27+vulns+are+real&amp;rft.date=2016-08-17&amp;rft.aulast=Thomson&amp;rft.aufirst=Iain&amp;rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2016%2F08%2F17%2Fcisco_two_shadow_brokers_vulnerabilities_real%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-48"><span class="mw-cite-backlink"><b><a href="#cite_ref-48">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFPauli2016" class="citation news cs1">Pauli, Darren (August 24, 2016). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2016/08/24/equation_group_exploit_expanded_to_target_cisco_924_asa_boxes/">"Equation Group exploit hits newer Cisco ASA, Juniper Netscreen"</a>. <i><a href="/wiki/The_Register" title="The Register">The Register</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">September 16,</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=article&amp;rft.jtitle=The+Register&amp;rft.atitle=Equation+Group+exploit+hits+newer+Cisco+ASA%2C+Juniper+Netscreen&amp;rft.date=2016-08-24&amp;rft.aulast=Pauli&amp;rft.aufirst=Darren&amp;rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2016%2F08%2F24%2Fequation_group_exploit_expanded_to_target_cisco_924_asa_boxes%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-49"><span class="mw-cite-backlink"><b><a href="#cite_ref-49">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite id="CITEREFChirgwin2016" class="citation news cs1">Chirgwin, Richard (August 18, 2016). <a rel="nofollow" class="external text" href="https://www.theregister.co.uk/2016/08/18/fortinet_follows_cisco_in_confirming_shadow_broker_vuln/">"Fortinet follows Cisco in confirming Shadow Broker vuln"</a>. <i><a href="/wiki/The_Register" title="The Register">The Register</a></i><span class="reference-accessdate">. Retrieved <span class="nowrap">September 16,</span> 2016</span>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=article&amp;rft.jtitle=The+Register&amp;rft.atitle=Fortinet+follows+Cisco+in+confirming+Shadow+Broker+vuln&amp;rft.date=2016-08-18&amp;rft.aulast=Chirgwin&amp;rft.aufirst=Richard&amp;rft_id=https%3A%2F%2Fwww.theregister.co.uk%2F2016%2F08%2F18%2Ffortinet_follows_cisco_in_confirming_shadow_broker_vuln%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-50"><span class="mw-cite-backlink"><b><a href="#cite_ref-50">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://crypto.stackexchange.com/questions/27404/what-are-the-problems-of-ikev1-aggressive-mode-compared-to-ikev1-main-mode-or-i">"key exchange - What are the problems of IKEv1 aggressive mode (compared to IKEv1 main mode or IKEv2)?"</a>. <i>Cryptography Stack Exchange</i>.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=Cryptography+Stack+Exchange&amp;rft.atitle=key+exchange+-+What+are+the+problems+of+IKEv1+aggressive+mode+%28compared+to+IKEv1+main+mode+or+IKEv2%29%3F&amp;rft_id=https%3A%2F%2Fcrypto.stackexchange.com%2Fquestions%2F27404%2Fwhat-are-the-problems-of-ikev1-aggressive-mode-compared-to-ikev1-main-mode-or-i&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> <li id="cite_note-51"><span class="mw-cite-backlink"><b><a href="#cite_ref-51">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" /><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/">"Don't stop using IPsec just yet"</a>. <i>No Hats</i>. December 29, 2014.</cite><span title="ctx_ver=Z39.88-2004&amp;rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&amp;rft.genre=unknown&amp;rft.jtitle=No+Hats&amp;rft.atitle=Don%27t+stop+using+IPsec+just+yet&amp;rft.date=2014-12-29&amp;rft_id=https%3A%2F%2Fnohats.ca%2Fwordpress%2Fblog%2F2014%2F12%2F29%2Fdont-stop-using-ipsec-just-yet%2F&amp;rfr_id=info%3Asid%2Fen.wikipedia.org%3AInternet+Protocol+Security" class="Z3988"></span></span> </li> </ol></div> <div class="mw-heading mw-heading2"><h2 id="Further_reading">Further reading</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=19" title="Edit section: Further reading"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <div class="mw-heading mw-heading3"><h3 id="Standards_track">Standards track</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=20" title="Edit section: Standards track"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1829">1829</a>: The ESP DES-CBC Transform</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2403">2403</a>: The Use of HMAC-MD5-96 within ESP and AH</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2404">2404</a>: The Use of HMAC-SHA-1-96 within ESP and AH</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2405">2405</a>: The ESP DES-CBC Cipher Algorithm With Explicit IV</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2410">2410</a>: The NULL Encryption Algorithm and Its Use With IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2451">2451</a>: The ESP CBC-Mode Cipher Algorithms</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2857">2857</a>: The Use of HMAC-RIPEMD-160-96 within ESP and AH</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3526">3526</a>: More Modular Exponential (MODP) <a href="/wiki/Diffie%E2%80%93Hellman_key_exchange" title="Diffie–Hellman key exchange">Diffie-Hellman</a> groups for Internet Key Exchange (IKE)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3602">3602</a>: The <a href="/wiki/AES-CBC" class="mw-redirect" title="AES-CBC">AES-CBC</a> Cipher Algorithm and Its Use with IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3686">3686</a>: Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3947">3947</a>: Negotiation of NAT-Traversal in the IKE</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3948">3948</a>: UDP Encapsulation of IPsec ESP Packets</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4106">4106</a>: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4301">4301</a>: Security Architecture for the Internet Protocol</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4302">4302</a>: IP Authentication Header</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4303">4303</a>: IP Encapsulating Security Payload</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4304">4304</a>: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4307">4307</a>: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (<a href="/wiki/IKEv2" class="mw-redirect" title="IKEv2">IKEv2</a>)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4308">4308</a>: Cryptographic Suites for IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4309">4309</a>: Using <a href="/wiki/Advanced_Encryption_Standard" title="Advanced Encryption Standard">Advanced Encryption Standard</a> (AES) <a href="/wiki/CCM_mode" title="CCM mode">CCM mode</a> with IPsec Encapsulating Security Payload (ESP)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4543">4543</a>: The Use of <a href="/wiki/Galois_Message_Authentication_Code" class="mw-redirect" title="Galois Message Authentication Code">Galois Message Authentication Code</a> (GMAC) in IPsec ESP and AH</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4555">4555</a>: IKEv2 Mobility and Multihoming Protocol (MOBIKE)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4806">4806</a>: Online Certificate Status Protocol (OCSP) Extensions to IKEv2</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4868">4868</a>: Using <a href="/wiki/HMAC-SHA-256" class="mw-redirect" title="HMAC-SHA-256">HMAC-SHA-256</a>, HMAC-SHA-384, and HMAC-SHA-512 with IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4945">4945</a>: The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5280">5280</a>: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5282">5282</a>: Using Authenticated Encryption Algorithms with the Encrypted Payload of the Internet Key Exchange version 2 (IKEv2) Protocol</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5386">5386</a>: Better-Than-Nothing Security: An Unauthenticated Mode of IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5529">5529</a>: Modes of Operation for <a href="/wiki/Camellia_(cipher)" title="Camellia (cipher)">Camellia</a> for Use with IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5685">5685</a>: Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5723">5723</a>: Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5857">5857</a>: IKEv2 Extensions to Support Robust Header Compression over IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5858">5858</a>: IPsec Extensions to Support Robust Header Compression over IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7296">7296</a>: Internet Key Exchange Protocol Version 2 (IKEv2)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7321">7321</a>: Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7383">7383</a>: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7427">7427</a>: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc7634">7634</a>: ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec</li></ul> <div class="mw-heading mw-heading3"><h3 id="Experimental_RFCs">Experimental RFCs</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=21" title="Edit section: Experimental RFCs"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4478">4478</a>: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol</li></ul> <div class="mw-heading mw-heading3"><h3 id="Informational_RFCs">Informational RFCs</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=22" title="Edit section: Informational RFCs"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2367">2367</a>: PF_KEY Interface</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2412">2412</a>: The OAKLEY Key Determination Protocol</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3706">3706</a>: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc3715">3715</a>: IPsec-Network Address Translation (NAT) Compatibility Requirements</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4621">4621</a>: Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4809">4809</a>: Requirements for an IPsec Certificate Management Profile</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5387">5387</a>: Problem and Applicability Statement for Better-Than-Nothing Security (BTNS)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5856">5856</a>: Integration of Robust Header Compression over IPsec Security Associations</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5930">5930</a>: Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6027">6027</a>: IPsec Cluster Problem Statement</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6071">6071</a>: IPsec and IKE Document Roadmap</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6379">6379</a>: <a href="/wiki/Suite_B" class="mw-redirect" title="Suite B">Suite B</a> Cryptographic Suites for IPsec</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6380">6380</a>: Suite B Profile for Internet Protocol Security (IPsec)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc6467">6467</a>: Secure Password Framework for Internet Key Exchange Version 2 (IKEv2)</li></ul> <div class="mw-heading mw-heading3"><h3 id="Best_current_practice_RFCs">Best current practice RFCs</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=23" title="Edit section: Best current practice RFCs"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5406">5406</a>: Guidelines for Specifying the Use of IPsec Version 2</li></ul> <div class="mw-heading mw-heading3"><h3 id="Obsolete/historic_RFCs"><span id="Obsolete.2Fhistoric_RFCs"></span>Obsolete/historic RFCs</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=24" title="Edit section: Obsolete/historic RFCs"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1825">1825</a>: Security Architecture for the Internet Protocol (obsoleted by RFC 2401)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1826">1826</a>: IP Authentication Header (obsoleted by RFC 2402)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1827">1827</a>: IP Encapsulating Security Payload (ESP) (obsoleted by RFC 2406)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc1828">1828</a>: IP Authentication using Keyed <a href="/wiki/MD5" title="MD5">MD5</a> (historic)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2401">2401</a>: Security Architecture for the Internet Protocol (IPsec overview) (obsoleted by RFC 4301)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2406">2406</a>: IP Encapsulating Security Payload (ESP) (obsoleted by RFC 4303 and RFC 4305)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2407">2407</a>: The Internet IP Security Domain of Interpretation for ISAKMP (obsoleted by RFC 4306)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc2409">2409</a>: The Internet Key Exchange (obsoleted by RFC 4306)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4305">4305</a>: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) (obsoleted by RFC 4835)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4306">4306</a>: Internet Key Exchange (IKEv2) Protocol (obsoleted by RFC 5996)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4718">4718</a>: IKEv2 Clarifications and Implementation Guidelines (obsoleted by RFC 7296)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc4835">4835</a>: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) (obsoleted by RFC 7321)</li> <li><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222" />RFC&#160;<a rel="nofollow" class="external text" href="https://datatracker.ietf.org/doc/html/rfc5996">5996</a>: Internet Key Exchange Protocol Version 2 (IKEv2) (obsoleted by RFC 7296)</li></ul> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Internet_Protocol_Security&amp;action=edit&amp;section=25" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a rel="nofollow" class="external text" href="http://www.ietf.org/html.charters/wg-dir.html#Security%20Area">All IETF active security WGs</a> <ul><li><a rel="nofollow" class="external text" href="http://datatracker.ietf.org/wg/ipsecme/">IETF ipsecme WG</a> ("IP Security Maintenance and Extensions" Working Group)</li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20070416135452/http://www.ietf.org/html.charters/btns-charter.html">IETF btns WG</a> ("Better-Than-Nothing Security" Working Group) (chartered to work on unauthenticated IPsec, IPsec APIs, connection latching)]</li></ul></li> <li><a rel="nofollow" class="external text" href="http://www.windowsecurity.com/articles/Securing_Data_in_Transit_with_IPSec.html">Securing Data in Transit with IPsec</a> <a rel="nofollow" class="external text" href="https://web.archive.org/web/20081013035743/http://www.windowsecurity.com/articles/Securing_Data_in_Transit_with_IPSec.html">Archived</a> 2008-10-13 at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a> WindowsSecurity.com article by Deb Shinder</li> <li><a rel="nofollow" class="external text" href="http://www.microsoft.com/ipsec">IPsec</a> on Microsoft TechNet <ul><li><a rel="nofollow" class="external text" href="http://www.microsoft.com/downloads/details.aspx?FamilyID=1d4c292c-7998-42e4-8786-789c7b457881&amp;displaylang=en">Microsoft IPsec Diagnostic Tool</a> on Microsoft Download Center</li></ul></li> <li><a rel="nofollow" class="external text" href="http://www.unixwiz.net/techtips/iguide-ipsec.html">An Illustrated Guide to IPsec</a> by Steve Friedl</li> <li><a rel="nofollow" class="external text" href="https://www.ict.tuwien.ac.at/lva/384.081/infobase/P97-IPsec_v4-7.pdf">Security Architecture for IP (IPsec)</a> Data Communication Lectures by Manfred Lindner Part IPsec</li> <li><a rel="nofollow" class="external text" href="http://www.linuxjournal.com/article/9916">Creating VPNs with IPsec and SSL/TLS</a> Linux Journal article by Rami Rosen</li></ul> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><style data-mw-deduplicate="TemplateStyles:r1236075235">.mw-parser-output .navbox{box-sizing:border-box;border:1px solid #a2a9b1;width:100%;clear:both;font-size:88%;text-align:center;padding:1px;margin:1em auto 0}.mw-parser-output .navbox .navbox{margin-top:0}.mw-parser-output .navbox+.navbox,.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox-group,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{padding:0.25em 1em;line-height:1.5em;text-align:center}.mw-parser-output .navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background-color:#fdfdfd}.mw-parser-output .navbox-list{line-height:1.5em;border-color:#fdfdfd}.mw-parser-output .navbox-list-with-group{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output tr+tr>.navbox-abovebelow,.mw-parser-output tr+tr>.navbox-group,.mw-parser-output tr+tr>.navbox-image,.mw-parser-output tr+tr>.navbox-list{border-top:2px solid #fdfdfd}.mw-parser-output .navbox-title{background-color:#ccf}.mw-parser-output .navbox-abovebelow,.mw-parser-output .navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background-color:#ddf}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background-color:#e6e6ff}.mw-parser-output .navbox-even{background-color:#f7f7f7}.mw-parser-output .navbox-odd{background-color:transparent}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em}body.skin--responsive .mw-parser-output .navbox-image img{max-width:none!important}@media print{body.ns-0 .mw-parser-output .navbox{display:none!important}}</style></div><div role="navigation" class="navbox" aria-labelledby="Virtual_private_networking143" style="padding:3px"><table class="nowraplinks mw-collapsible expanded navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1239400231" /><div class="navbar plainlinks hlist navbar-mini"><ul><li class="nv-view"><a href="/wiki/Template:Virtual_private_network" title="Template:Virtual private network"><abbr title="View this template">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Virtual_private_network" title="Template talk:Virtual private network"><abbr title="Discuss this template">t</abbr></a></li><li class="nv-edit"><a href="/wiki/Special:EditPage/Template:Virtual_private_network" title="Special:EditPage/Template:Virtual private network"><abbr title="Edit this template">e</abbr></a></li></ul></div><div id="Virtual_private_networking143" style="font-size:114%;margin:0 4em"><a href="/wiki/Virtual_private_network" title="Virtual private network">Virtual private networking</a></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Communication_protocol" title="Communication protocol">Communication protocols</a></th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Datagram_Transport_Layer_Security" title="Datagram Transport Layer Security">DTLS</a></li> <li><a href="/wiki/DirectAccess" title="DirectAccess">DirectAccess</a></li> <li><a href="/wiki/Ethernet_VPN" title="Ethernet VPN">EVPN</a></li> <li><a href="/wiki/IPsec" class="mw-redirect" title="IPsec">IPsec</a></li> <li><a href="/wiki/Layer_2_Forwarding_Protocol" title="Layer 2 Forwarding Protocol">L2F</a></li> <li><a href="/wiki/Layer_2_Tunneling_Protocol" title="Layer 2 Tunneling Protocol">L2TP</a></li> <li><a href="/wiki/L2TPv3" title="L2TPv3">L2TPv3</a></li> <li><a href="/wiki/Point-to-Point_Tunneling_Protocol" title="Point-to-Point Tunneling Protocol">PPTP</a></li> <li><a href="/wiki/Secure_Socket_Tunneling_Protocol" title="Secure Socket Tunneling Protocol">SSTP</a></li> <li><a href="/wiki/Split_tunneling" title="Split tunneling">Split tunneling</a></li> <li><a href="/wiki/Transport_Layer_Security" title="Transport Layer Security">SSL/TLS</a></li> <li>(<a href="/wiki/Opportunistic_encryption" title="Opportunistic encryption">Opportunistic</a>: <a href="/wiki/Tcpcrypt" title="Tcpcrypt">tcpcrypt</a>)</li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Connection applications</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/FreeLAN" title="FreeLAN">FreeLAN</a></li> <li><a href="/wiki/FreeS/WAN" title="FreeS/WAN">FreeS/WAN</a></li> <li><a href="/wiki/Libreswan" title="Libreswan">Libreswan</a></li> <li><a href="/wiki/N2n" title="N2n">n2n</a></li> <li><a href="/wiki/OpenConnect" title="OpenConnect">OpenConnect</a></li> <li><a href="/wiki/OpenIKED" title="OpenIKED">OpenIKED</a></li> <li><a href="/wiki/Openswan" title="Openswan">Openswan</a></li> <li><a href="/wiki/OpenVPN" title="OpenVPN">OpenVPN</a></li> <li><a href="/wiki/Social_VPN" title="Social VPN">Social VPN</a></li> <li><a href="/wiki/SoftEther_VPN" title="SoftEther VPN">SoftEther VPN</a></li> <li><a href="/wiki/StrongSwan" title="StrongSwan">strongSwan</a></li> <li><a href="/wiki/Tcpcrypt" title="Tcpcrypt">tcpcrypt</a></li> <li><a href="/wiki/Tinc_(protocol)" title="Tinc (protocol)">tinc</a></li> <li><a href="/wiki/VTun" title="VTun">VTun</a></li> <li><a href="/wiki/WireGuard" title="WireGuard">WireGuard</a></li> <li><a href="/wiki/Shadowsocks" title="Shadowsocks">Shadowsocks</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Enterprise_software" title="Enterprise software">Enterprise software</a></th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Avast_SecureLine_VPN" title="Avast SecureLine VPN">Avast SecureLine VPN</a></li> <li><a href="/wiki/Check_Point_VPN-1" class="mw-redirect" title="Check Point VPN-1">Check Point VPN-1</a></li> <li><a href="/wiki/LogMeIn_Hamachi" title="LogMeIn Hamachi">LogMeIn Hamachi</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Risk vectors</th><td class="navbox-list-with-group navbox-list navbox-even hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/Content-control_software" class="mw-redirect" title="Content-control software">Content-control software</a></li> <li><a href="/wiki/Deep_content_inspection" title="Deep content inspection">Deep content inspection</a></li> <li><a href="/wiki/Deep_packet_inspection" title="Deep packet inspection">Deep packet inspection</a></li> <li><a href="/wiki/IP_address_blocking" title="IP address blocking">IP address blocking</a></li> <li><a href="/wiki/Network_enumeration" title="Network enumeration">Network enumeration</a></li> <li><a href="/wiki/Stateful_firewall" title="Stateful firewall">Stateful firewall</a></li> <li><a href="/wiki/TCP_reset_attack" title="TCP reset attack">TCP reset attack</a></li> <li><a href="/wiki/VPN_blocking" title="VPN blocking">VPN blocking</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/VPN_service" title="VPN service">VPN Services</a></th><td class="navbox-list-with-group navbox-list navbox-odd hlist" style="width:100%;padding:0"><div style="padding:0 0.25em"></div><table class="nowraplinks navbox-subgroup" style="border-spacing:0"><tbody><tr><th scope="row" class="navbox-group" style="width:10em"><a href="/wiki/Avast" title="Avast">Avast</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/HMA_(VPN)" title="HMA (VPN)">HMA</a></li> <li><a href="/wiki/Avast_SecureLine_VPN" title="Avast SecureLine VPN">SecureLine</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:10em"><a href="/wiki/Kape_Technologies" class="mw-redirect" title="Kape Technologies">Kape Technologies</a></th><td class="navbox-list-with-group navbox-list navbox-even" style="padding:0"><div style="padding:0 0.25em"> <ul><li>CyberGhost</li> <li><a href="/wiki/ExpressVPN" title="ExpressVPN">ExpressVPN</a></li> <li><a href="/wiki/Private_Internet_Access" title="Private Internet Access">Private Internet Access</a></li> <li>Zenmate</li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:10em"><a href="/wiki/McAfee" title="McAfee">McAfee</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/TunnelBear" title="TunnelBear">TunnelBear</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:10em">Tesonet</th><td class="navbox-list-with-group navbox-list navbox-even" style="padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/NordVPN" title="NordVPN">NordVPN</a></li> <li><a href="/wiki/NordLayer" title="NordLayer">NordLayer</a></li> <li><a href="/wiki/Surfshark" class="mw-redirect" title="Surfshark">Surfshark</a></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:10em"><a href="/wiki/Ziff_Davis" title="Ziff Davis">Ziff Davis</a></th><td class="navbox-list-with-group navbox-list navbox-odd" style="padding:0"><div style="padding:0 0.25em"> <ul><li><a href="/wiki/IPVanish" title="IPVanish">IPVanish</a></li> <li><a href="/wiki/StrongVPN" class="mw-redirect" title="StrongVPN">StrongVPN</a></li></ul> </div></td></tr></tbody></table><div> <ul><li><a href="/wiki/Hola_(VPN)" title="Hola (VPN)">Hola</a></li> <li><a href="/wiki/IVPN" title="IVPN">IVPN</a></li> <li><a href="/wiki/Mozilla_VPN" title="Mozilla VPN">Mozilla VPN</a></li> <li><a href="/wiki/Mullvad" title="Mullvad">Mullvad</a></li> <li><a href="/wiki/PrivadoVPN" title="PrivadoVPN">PrivadoVPN</a></li> <li><a href="/wiki/Proton_VPN" title="Proton VPN">Proton VPN</a></li> <li><a href="/wiki/PureVPN" title="PureVPN">PureVPN</a></li> <li><a href="/wiki/SaferVPN" title="SaferVPN">SaferVPN</a></li> <li><a href="/wiki/Windscribe" title="Windscribe">Windscribe</a></li></ul></div></td></tr></tbody></table></div> <div class="navbox-styles"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1129693374" /><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236075235" /><style data-mw-deduplicate="TemplateStyles:r1038841319">.mw-parser-output .tooltip-dotted{border-bottom:1px dotted;cursor:help}</style></div><div role="navigation" class="navbox authority-control" aria-label="Navbox729" style="padding:3px"><table class="nowraplinks hlist navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="row" class="navbox-group" style="width:1%"><a href="/wiki/Help:Authority_control" title="Help:Authority control">Authority control databases</a>: National <span class="mw-valign-text-top noprint" typeof="mw:File/Frameless"><a href="https://www.wikidata.org/wiki/Q210214#identifiers" title="Edit this at Wikidata"><img alt="Edit this at Wikidata" src="//upload.wikimedia.org/wikipedia/en/thumb/8/8a/OOjs_UI_icon_edit-ltr-progressive.svg/20px-OOjs_UI_icon_edit-ltr-progressive.svg.png" decoding="async" width="10" height="10" class="mw-file-element" data-file-width="20" data-file-height="20" /></a></span></th><td class="navbox-list-with-group navbox-list navbox-odd" style="width:100%;padding:0"><div style="padding:0 0.25em"><ul><li><span class="uid"><a rel="nofollow" class="external text" href="https://d-nb.info/gnd/4595061-1">Germany</a></span></li><li><span class="uid"><span class="rt-commentedText tooltip tooltip-dotted" title="IPSec (Computer network protocol)"><a rel="nofollow" class="external text" href="https://id.loc.gov/authorities/sh99003638">United States</a></span></span></li><li><span class="uid"><a rel="nofollow" class="external text" href="https://www.nli.org.il/en/authorities/987007534836805171">Israel</a></span></li></ul></div></td></tr></tbody></table></div> <!-- NewPP limit report Parsed by mw‐web.codfw.main‐6f7c94ff49‐q6bjx Cached time: 20250410013950 Cache expiry: 2592000 Reduced expiry: false Complications: [vary‐revision‐sha1, show‐toc] CPU time usage: 1.347 seconds Real time usage: 1.549 seconds Preprocessor visited node count: 54055/1000000 Post‐expand include size: 461282/2097152 bytes Template argument size: 23434/2097152 bytes Highest expansion depth: 31/100 Expensive parser function count: 12/500 Unstrip recursion depth: 1/20 Unstrip post‐expand size: 451049/5000000 bytes Lua time usage: 0.701/10.000 seconds Lua memory usage: 7810850/52428800 bytes Number of Wikibase entities loaded: 1/500 --> <!-- Transclusion expansion time report (%,ms,calls,template) 100.00% 1397.022 1 -total 47.19% 659.310 21 Template:Ref_RFC 30.48% 425.766 42 Template:Cite_IETF 21.18% 295.844 21 Template:Ref_RFC/getref 13.25% 185.109 90 Template:IETF_RFC 12.59% 175.895 1 Template:Reflist 12.47% 174.159 90 Template:Catalog_lookup_link 8.68% 121.224 28 Template:APHD 5.84% 81.615 1 Template:IPstack 5.44% 76.048 1 Template:Short_description --> <!-- Saved in parser cache with key enwiki:pcache:43342:|#|:idhash:canonical and timestamp 20250410013950 and revision id 1282710229. Rendering was triggered because: page-view --> </div><!--esi <esi:include src="/esitest-fa8a495983347898/content" /> --><noscript><img src="https://auth.wikimedia.org/loginwiki/wiki/Special:CentralAutoLogin/start?useformat=desktop&amp;type=1x1&amp;usesul3=1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Internet_Protocol_Security&amp;oldid=1282710229">https://en.wikipedia.org/w/index.php?title=Internet_Protocol_Security&amp;oldid=1282710229</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:IPsec" title="Category:IPsec">IPsec</a></li><li><a href="/wiki/Category:Cryptographic_protocols" title="Category:Cryptographic protocols">Cryptographic protocols</a></li><li><a href="/wiki/Category:Internet_protocols" title="Category:Internet protocols">Internet protocols</a></li><li><a href="/wiki/Category:Network_layer_protocols" title="Category:Network layer protocols">Network layer protocols</a></li><li><a href="/wiki/Category:Tunneling_protocols" title="Category:Tunneling protocols">Tunneling protocols</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:All_articles_with_unsourced_statements" title="Category:All articles with unsourced statements">All articles with unsourced statements</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_January_2019" title="Category:Articles with unsourced statements from January 2019">Articles with unsourced statements from January 2019</a></li><li><a href="/wiki/Category:Articles_with_unsourced_statements_from_April_2020" title="Category:Articles with unsourced statements from April 2020">Articles with unsourced statements from April 2020</a></li><li><a href="/wiki/Category:Webarchive_template_wayback_links" title="Category:Webarchive template wayback links">Webarchive template wayback links</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 28 March 2025, at 04:04<span class="anonymous-show">&#160;(UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Internet_Protocol_Security&amp;mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://www.wikimedia.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><picture><source media="(min-width: 500px)" srcset="/static/images/footer/wikimedia-button.svg" width="84" height="29"><img src="/static/images/footer/wikimedia.svg" width="25" height="25" alt="Wikimedia Foundation" lang="en" loading="lazy"></picture></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><picture><source media="(min-width: 500px)" srcset="/w/resources/assets/poweredby_mediawiki.svg" width="88" height="31"><img src="/w/resources/assets/mediawiki_compact.svg" alt="Powered by MediaWiki" lang="en" width="25" height="25" loading="lazy"></picture></a></li> </ul> </footer> </div> </div> </div> <div class="vector-header-container vector-sticky-header-container"> <div id="vector-sticky-header" class="vector-sticky-header"> <div class="vector-sticky-header-start"> <div class="vector-sticky-header-icon-start vector-button-flush-left vector-button-flush-right" aria-hidden="true"> <button class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-sticky-header-search-toggle" tabindex="-1" data-event-name="ui.vector-sticky-search-form.icon"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </button> </div> <div role="search" class="vector-search-box-vue vector-search-box-show-thumbnail vector-search-box"> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail"> <form action="/w/index.php" id="vector-sticky-search-form" class="cdx-search-input cdx-search-input--has-end-button"> <div class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia"> <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <div class="vector-sticky-header-context-bar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-sticky-header-toc" class="vector-dropdown mw-portlet mw-portlet-sticky-header-toc vector-sticky-header-toc vector-button-flush-left" > <input type="checkbox" id="vector-sticky-header-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-sticky-header-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-sticky-header-toc-label" for="vector-sticky-header-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-sticky-header-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div class="vector-sticky-header-context-bar-primary" aria-hidden="true" ><span class="mw-page-title-main">Internet Protocol Security</span></div> </div> </div> <div class="vector-sticky-header-end" aria-hidden="true"> <div class="vector-sticky-header-icons"> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-talk-sticky-header" tabindex="-1" data-event-name="talk-sticky-header"><span class="vector-icon mw-ui-icon-speechBubbles mw-ui-icon-wikimedia-speechBubbles"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-subject-sticky-header" tabindex="-1" data-event-name="subject-sticky-header"><span class="vector-icon mw-ui-icon-article mw-ui-icon-wikimedia-article"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-history-sticky-header" tabindex="-1" data-event-name="history-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-history mw-ui-icon-wikimedia-wikimedia-history"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only mw-watchlink" id="ca-watchstar-sticky-header" tabindex="-1" data-event-name="watch-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-star mw-ui-icon-wikimedia-wikimedia-star"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-edit-sticky-header" tabindex="-1" data-event-name="wikitext-edit-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-wikiText mw-ui-icon-wikimedia-wikimedia-wikiText"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-ve-edit-sticky-header" tabindex="-1" data-event-name="ve-edit-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-edit mw-ui-icon-wikimedia-wikimedia-edit"></span> <span></span> </a> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only" id="ca-viewsource-sticky-header" tabindex="-1" data-event-name="ve-edit-protected-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-editLock mw-ui-icon-wikimedia-wikimedia-editLock"></span> <span></span> </a> </div> <div class="vector-sticky-header-buttons"> <button class="cdx-button cdx-button--weight-quiet mw-interlanguage-selector" id="p-lang-btn-sticky-header" tabindex="-1" data-event-name="ui.dropdown-p-lang-btn-sticky-header"><span class="vector-icon mw-ui-icon-wikimedia-language mw-ui-icon-wikimedia-wikimedia-language"></span> <span>39 languages</span> </button> <a href="#" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive" id="ca-addsection-sticky-header" tabindex="-1" data-event-name="addsection-sticky-header"><span class="vector-icon mw-ui-icon-speechBubbleAdd-progressive mw-ui-icon-wikimedia-speechBubbleAdd-progressive"></span> <span>Add topic</span> </a> </div> <div class="vector-sticky-header-icon-end"> <div class="vector-user-links"> </div> </div> </div> </div> </div> <div class="mw-portlet mw-portlet-dock-bottom emptyPortlet" id="p-dock-bottom"> <ul> </ul> </div> <script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-6f7c94ff49-6tg9x","wgBackendResponseTime":193,"wgPageParseReport":{"limitreport":{"cputime":"1.347","walltime":"1.549","ppvisitednodes":{"value":54055,"limit":1000000},"postexpandincludesize":{"value":461282,"limit":2097152},"templateargumentsize":{"value":23434,"limit":2097152},"expansiondepth":{"value":31,"limit":100},"expensivefunctioncount":{"value":12,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":451049,"limit":5000000},"entityaccesscount":{"value":1,"limit":500},"timingprofile":["100.00% 1397.022 1 -total"," 47.19% 659.310 21 Template:Ref_RFC"," 30.48% 425.766 42 Template:Cite_IETF"," 21.18% 295.844 21 Template:Ref_RFC/getref"," 13.25% 185.109 90 Template:IETF_RFC"," 12.59% 175.895 1 Template:Reflist"," 12.47% 174.159 90 Template:Catalog_lookup_link"," 8.68% 121.224 28 Template:APHD"," 5.84% 81.615 1 Template:IPstack"," 5.44% 76.048 1 Template:Short_description"]},"scribunto":{"limitreport-timeusage":{"value":"0.701","limit":"10.000"},"limitreport-memusage":{"value":7810850,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-6f7c94ff49-q6bjx","timestamp":"20250410013950","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Internet Protocol Security","url":"https:\/\/en.wikipedia.org\/wiki\/Internet_Protocol_Security","sameAs":"http:\/\/www.wikidata.org\/entity\/Q210214","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q210214","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2002-03-08T08:58:19Z","dateModified":"2025-03-28T04:04:34Z","headline":"protocol suite for securing Internet Protocol communications"}</script> </body> </html>